17-10-2016, 11:51 AM
1459361178-VLANreport.pdf (Size: 283.97 KB / Downloads: 6)
The Virtual LAN Technology Report
by David Passmore and John Freeman
Introduction
Virtual LANs (VLANs) have recently
developed into an integral feature of switched
LAN solutions from every major LAN
equipment vendor. Although end-user
enthusiasm for VLAN implementation has yet
to take off, most organizations have begun to
look for vendors that have a well-articulated
VLAN strategy, as well as VLAN functionality
built into products today. One of the
reasons for the attention placed on VLAN
functionality now is the rapid deployment of
LAN switching that began in 1994/1995.
The shift toward LAN switching as a
replacement for local/departmental routers—
and now even shared media devices (hubs)—
will only accelerate in the future. With the
rapid decrease in Ethernet and Token Ring
switch prices on a per-port basis, many more
ambitious organizations are moving quickly
toward networks featuring private port (single
user/port) LAN switching architectures. Such a
desktop switching architecture is ideally suited
to VLAN implementation. To understand why
private port LAN switching is so well suited to
VLAN implementation, it is useful to review
the evolution of segmentation and broadcast
containment in the network over the past
several years.
In the early 1990s, organizations began to
replace two-port bridges with multiport, collapsed
backbone routers in order to segment
their networks at layer 3 and thus also contain
broadcast traffic. In a network using only
routers for segmentation, segments and
broadcast domains correspond on a one-to-one
basis. Each segment typically contained
between 30 and 100 users.
With the introduction of switching, organizations
were able to divide the network into
smaller, layer 2–defined segments, enabling
increased bandwidth per segment. Routers
could now focus on providing broadcast containment,
and broadcast domains could now
span multiple switched segments, easily supporting
500 or more users per broadcast
domain. However, the continued deployment
of switches, dividing the network into more
and more segments (with fewer and fewer
users per segment) does not reduce the need
for broadcast containment. Using routers,
broadcast domains typically remain in the 100
to 500 user range.
VLANs represent an alternative solution
to routers for broadcast containment, since
VLANs allow switches to also contain
broadcast traffic. With the implementation of
switches in conjunction with VLANs, each
network segment can contain as few as one
user (approaching private port LAN switching),
while broadcast domains can be as large
as 1,000 users or perhaps even more. In
addition, if implemented properly, VLANs can
track workstation movements to new locations
without requiring manual reconfiguration of IP
addresses.
Why haven’t more organizations deployed
VLANs? For the vast majority of end-user
organizations, switches have yet to be implemented
on a large enough scale to necessitate
VLANs. That situation will soon change.
There are, however, other reasons for the
lukewarm reception that VLANs have received
from network users up to now:
• VLANs have been, and are still, proprietary,
single-vendor solutions. As the networking
industry has shown, proprietary solutions are
anathema to the multivendor/open systems
policies that have developed in the migration
to local area networks and the client server
model.
• Despite the frequently quoted numbers illuminating
the hidden costs of networking,
such as administration and moves/adds/
changes, customers realize that VLANs have
their own administrative costs, both straightforward
and hidden.
• Although many analysts have suggested that
VLANs enhance the ability to deploy centralized
servers, customers may look at
enterprise-wide VLAN implementation and
see difficulties in enabling full, high-performance
access to centralized servers.
This paper discusses these and other
issues in greater detail, and attempts to
determine the strategic implications that
VLANs, present and future, pose for enterprise
networks.
Defining VLANs
What is a VLAN? With the multitude of
vendor-specific VLAN solutions and implementation
strategies, defining precisely what
VLANs are has become a contentious issue.
Nevertheless, most people would agree that a
VLAN can be roughly equated to a broadcast
domain. More specifically, VLANs can be
seen as analogous to a group of end-stations,
perhaps on multiple physical LAN segments,
that are not constrained by their physical
location and can communicate as if they were
on a common LAN.
However, at this point, issues such as the
extent to which end-stations are not constrained
by physical location, the way VLAN
membership is defined, the relationship
between VLANs and routing, and the relationship
between VLANs and ATM have been
left up to each vendor. To a certain extent these
are tactical issues, but how they are resolved
has important strategic implications.
Because there are several ways in which
VLAN membership can be defined, this paper
divides VLAN solutions into four general
types: port grouping, MAC-layer grouping,
network-layer grouping, and IP multicast
grouping. We will discuss the issue of manual
vs. automatic VLAN configuration, and
describe techniques by which VLANs may be
extended across multiple switches in the
network. Finally, the paper takes a look at the
present state of VLAN standards.
Membership by Port Group
Many initial VLAN implementations defined
VLAN membership by groups of switch ports (for example, ports 1, 2, 3, 7, and 8 on a
switch make up VLAN A, while ports 4, 5,
and 6 make up VLAN B). Furthermore, in
most initial implementations, VLANs could
only be supported on a single switch.
Second-generation implementations
support VLANs that span multiple switches
(for example, ports 1 and 2 of switch #1 and
ports 4, 5, 6, and 7 of switch #2 make up
VLAN A; while ports 3, 4, 5, 6, 7, and 8 of
switch #1 combined with ports 1, 2, 3, and 8
of switch #2 make up VLAN B). This
scenario is depicted in Figure 1.
Port grouping is still the most common
method of defining VLAN membership, and
configuration is fairly straightforward.
Defining VLANs purely by port group does
not allow multiple VLANs to include the
same physical segment (or switch port).
However, the primary limitation of defining
VLANs by port is that the network manager
must reconfigure VLAN membership when a
user moves from one port to another.
Membership by MAC Address
VLAN membership based on MAC-layer
address has a different set of advantages and
disadvantages. Since MAC-layer addresses
are hard-wired into the workstation’s network
interface card (NIC), VLANs based on
MAC addresses enable network managers to
move a workstation to a different physical
location on the network and have that workstation
automatically retain its VLAN membership.
In this way, a VLAN defined by
MAC address can be thought of as a userbased
VLAN.
One of the drawbacks of MAC
address–based VLAN solutions is the requirement
that all users must initially be configured
to be in at least one VLAN. After that initial
manual configuration, automatic tracking of
users is possible, depending on the specific
vendor solution. However, the disadvantage of
having to initially configure VLANs becomes
clear in very large networks where thousands of
users must each be explicitly assigned to a particular
VLAN. Some vendors have mitigated
the onerous task of initially configuring MACbased
VLANs by using tools that create
VLANs based on the current state of the
network—that is, a MAC address–based
VLAN is created for each subnet.
MAC address–based VLANs that are
implemented in shared media environments
will run into serious performance degradation
as members of different VLANs coexist on a
single switch port. In addition, the primary
method of communicating VLAN membership
information between switches in a MAC
address–defined VLAN also runs into performance
degradation with larger-scale implementations.
This is explained in “Communicating
VLAN Membership Information,” later
in this paper.
Another, but minor, drawback to VLANs
based only on MAC-layer addresses emerges
in environments that use significant numbers
of notebook PCs with some docking stations.
The problem is that the docking station and
integrated network adapter (with its hard-wired
MAC-layer address) usually remain on the
desktop, while the notebook travels with the
user. When the user moves to a new desk and
docking station, the MAC-layer address
changes, making VLAN membership
impossible to track. In such an environment,
VLAN membership must be updated constantly
as users move around and use different
docking stations. While this problem may not
be particularly common, it does illustrate some
of the limitations of MAC address–based
VLANs.
Layer 3–Based VLANs
VLANs based on layer 3 information take into
account protocol type (if multiple protocols are supported) or network-layer address (for
example, subnet address for TCP/IP networks)
in determining VLAN membership. Although
these VLANs are based on layer 3 information,
this does not constitute a “routing”
function and should not be confused with
network-layer routing.
Even though a switch inspects a packet’s
IP address to determine VLAN membership,
no route calculation is undertaken, RIP or
OSPF protocols are not employed, and frames
traversing the switch are usually bridged
according to implementation of the Spanning
Tree Algorithm. Therefore, from the point of
view of a switch employing layer 3–based
VLANs, connectivity within any given VLAN
is still seen as a flat, bridged topology.
Having made the distinction between
VLANs based on layer 3 information and
routing, it should be noted that some vendors
are incorporating varying amounts of layer 3
intelligence into their switches, enabling
functions normally associated with routing.
Furthermore, “layer 3 aware” or “multi-layer”
switches often have the packet-forwarding
function of routing built into ASIC chip sets,
greatly improving performance over CPUbased
routers. Nevertheless, a key point
remains: no matter where it is located in a
VLAN solution, routing is necessary to
provide connectivity between distinct VLANs.
There are several advantages to defining
VLANs at layer 3. First, it enables partitioning
by protocol type. This may be an attractive
option for network managers who are dedicated
to a service- or application-based VLAN
strategy. Second, users can physically move
their workstations without having to reconfigure
each workstation’s network address—a
benefit primarily for TCP/IP users. Third,
defining VLANs at layer 3 can eliminate the
need for frame tagging in order to communicate
VLAN membership between switches,
reducing transport overhead.
One of the disadvantages of defining
VLANs at layer 3 (vs. MAC- or port-based
VLANs) can be performance. Inspecting
layer 3 addresses in packets is more time consuming
than looking at MAC addresses in
frames. For this reason, switches that use layer 3 information for VLAN definition are
generally slower than those that use layer 2
information. It should be noted that this performance
difference is true for most, but not
all, vendor implementations.
VLANs defined at layer 3 are particularly
effective in dealing with TCP/IP, but less
effective with protocols such as IPX™,
DECnet®, or AppleTalk®, which do not
involve manual configuration at the desktop.
Furthermore, layer 3–defined VLANs have
particular difficulty in dealing with “unroutable”
protocols such as NetBIOS. Endstations
running unroutable protocols cannot
be differentiated and thus cannot be defined
as part of a network-layer VLAN.
IP Multicast Groups as VLANs
IP multicast groups represent a somewhat different
approach to VLAN definition, although
the fundamental concept of VLANs as
broadcast domains still applies. When an IP
packet is sent via multicast, it is sent to an
address that is a proxy for an explicitly defined
group of IP addresses that is
established dynamically.
Each workstation is given
the opportunity to join a
particular IP multicast group
by responding affirmatively
to a broadcast notification,
which signals that group’s
existence. All workstations
that join an IP multicast
group can be seen as
members of the same virtual
LAN. However, they are
only members of a particular multicast group
for a certain period of time. Therefore, the
dynamic nature of VLANs defined by IP multicast
groups enables a very high degree of
flexibility and application sensitivity. In
addition, VLANs defined by IP multicast
groups would inherently be able to span
routers and thus WAN connections.