Virtual LAN (VLAN) provides a flexible method of managing network segments usingEthernet LAN switches. When using VLANs in networks that have multiple interconnected switches, you need to use VLAN trunking between the switches.
VLANs give management flexibility by creating separate Virtual LAN segments or subnetswhich can be used to define different location or departmental networks. The use of VLANs within the LAN is optional and is normally influenced by specific local network requirements.
Virtual LAN Concepts
Before understanding Virtual LAN, a very specific understanding of the definition of a LAN is needed. A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN connected devices that can send a broadcast frame, and all the other devices in the same LAN get a copy of the frame. So, you can think of a LAN and a broadcast domain as being basically the same thing.
Without VLANs, a switch treats all interfaces on the switch as being in the same broadcast domain – in others words, all connected devices are in the same LAN. With VLANs, a switch can put some interfaces into one broadcast domain and some into another. Essentially, the switch creates multiple broadcast domains. These individual broadcast domains created by the switch are called virtual LANs.
VLAN Basics
One or more switches can create a virtual LAN (VLAN) which is a broadcast domain. A VLAN is created by putting some interfaces of the Switch in one VLAN and some in another.
So, instead of all ports on a switch forming a single broadcast domain, the switch separates them into many, based on configuration. To help understanding the VLAN, the two figures will be used. The first figure below shows two switches creates two separate broadcast domains, one for each broadcast domain. No VLANs are created.
Two Switches Creates Two Separate Broadcast Domains
Alternately, multiple broadcast domains can be created by using a single switch. The figure shown below is the same two broadcast domains as in the above figure, but now implemented as two different VLANs on a single switch.
Two Different Vlans On A Single Switch
There is no reason to use VLANs for a small network environment as shown in the above figure. However, there are many motivations for using VLANs, including the following:
- To group users by department, or by groups that work together, instead of by physical location
- To reduce overhead by limiting the size of each broadcast domain
- To enforce better security by keeping sensitive devices on a separate VLAN
- To separate specialized traffic from mainstream traffic—for example, putting IP telephones on a separate VLAN from user PCs
Creating VLANs
We can configure interfaces by simply associating the interface to the VLAN by configuring something like as “interface 0/1 is in VLAN 1” and “interface 0/2 is in VLAN 5.” And so on. this is what we call Port-based VLANs, the typical choice for configuring VLANs in a switch, easy to configure without needing to know the MAC address of the device. However, a good documentation is required to make sure that the right cable to the right devices running into the right switch port, thereby putting them in the right VLANs.
Another alternative which is rare to use is to group devices into a VLAN based on MAC address. But this type creates administrative overhead of configuring the MAC address of the devices. A good register of all the MAC addresses configured to various Switches and associating each MAC address with a VLAN is needed for ease of management. When a device moves to a different switch port and sends a frame, the device stays in the same VLAN. This allows devices to move around more easily.
Trunking VLAN with ISL and 802.1q
The use of VLAN trunking is needed when using VLANs in networks that have multiple interconnected switches.
The switches need a way to identify the VLAN from which the frame was sent when sending a frame to another switch. VLAN trunking allows the switches to tag each frame sent between switches so that the receiving switch knows which VLAN the frame belongs to. The idea is outlined in the figure below.
VLAN trunking is needed when using VLANs in networks that have multiple interconnected switches
Multiple VLANs that have members on more than one switch can be supported with VLAN trunking. For example, when Switch1 receives a broadcast from a device in VLAN1, it needs to forward the broadcast to Switch2. Before sending the frame, Switch1 adds another header to the original Ethernet frame; that new header has the VLAN number in it. When Switch2 receives the frame, it sees that the frame was from a device in VLAN1, so Switch2 knows that it should forward the broadcast only out its own interfaces in VLAN1.
Cisco switches support two different VLAN trunking protocols, Inter-Switch Link (ISL) and IEEE 802.1q. They both provide basic trunking, as shown in the above figure. But basically they do have some differences.
Best practices for deployment of Virtual LANs:
- VLANs are not to be used in every network, but could possibly be used in LAN environments where large (many hundreds) device populations exist and/or security concerns are justified. If used, the VLAN environment should be simple, intuitive and well documented.
- The recommended approach for VLANs is to define them based on location or departmental function. This is done to restrict broadcast traffic (broadcast domain) to the individual VLAN segment. The number of VLANs defined in a switched LAN should reflect the functional and management requirements of the particular network.
- Multiple switches can be transparently interconnected by using VLAN trunking. VLAN trunking provides a tagging mechanism to transparently transport VLANs across multiple switch chassis. VLANs are defined in the IEEE 802.3 and IEEE 802.1q standards.
The following section provides further information on VLAN trunking protocols:
There are two main VLAN trunking protocols in use today, namely IEEE 802.1q and Cisco’s ISL. The choice of trunking protocol is normally based on the actual switch hardware platform being used.
IEEE 802.1q is standards based VLAN trunking protocol which applies an internal tag to an existing Ethernet frame. This is done in hardware and also includes a recalculation of the Ethernet header checksum. This allows a frame to be tagged with the VLAN that the datagram came from and ensures that the frame be delivered to a port in the same VLAN. This prevents data-grams from leaking between different VLANs.
ISL (Inter Switch Link) provides an external tag to the existing Ethernet frame. This is done in hardware and consists of an external wrapped placed around the original frame.
When connecting multiple switches via a trunk it is important to ensure that both switches support the same VLAN trunking protocol. The use of any automatic negotiation of the VLAN trunking protocol is discouraged due to the possibility of trunk mis-configurations.
For large switched VLAN deployments a VLAN management protocol such as VTP (VLAN Trunking Protocol) can be used. VTP allows VLANs to be defined once at a single location and synchronized to other switches in the same administrative domain.
Deployment of VLANs should be well designed and simple to manage. Documentation should be accurate and keep it up to date to assist with network support activities. Normally VLANs are not required for small networks (<100 users at a single site), but for large scale networks, VLANs do offer many management advantages.
One important thing to note is that traffic between different VLANs must be routed. If high speed inter-VLAN connectivity is required, then the use of a high performance layer-3 (Multi-Layer Switch) switch is recommended.
Connecting multiple VLANs between different switch chassis requires the use of a trunking protocol such as ISL or IEEE802.1q. Ensure that the switches support the same trunking protocol on the inter-switch trunk link.
