Virtual LANs (VLANs)
A Virtual Local Area Network (VLAN) is a logical grouping of network users and resources connected to administratively defined ports on a switch. By creating VLANs, you are able to create smaller broadcast domains within a switch by assigning different ports in the switch to different subnetworks. A VLAN is treated like its own subnet or broadcast domain. This means that frames broadcasted onto a network are only switched between ports in the same VLAN. Using virtual LANs, you’re no longer confined to creating workgroups by physical locations. VLANs can be organized by location, function, department, or even the application or protocol used, regardless of where the resources or users are located. In this chapter, you will learn what a VLAN is and how VLAN memberships are used in a switched internetwork. Also, I’ll discuss how Virtual Trunk Protocol (VTP) is used to update switch databases with VLAN information. Trunking FastEthernet links will also be discussed. Trunking allows you to send information about all VLANs across one link.
Virtual LANs
In a layer-2 switched network, the network is flat, as shown in Figure 1. Every broadcast packet transmitted is seen by every device on the network, regardless of whether the device needs to receive the data.
Because layer-2 switching creates individual collision domain segments for each device plugged into the switch, the Ethernet distance constraints are lifted, which means larger networks can be built. The larger the number of users and devices, the more broadcasts and packets each device must handle. Another problem with a flat layer-2 network is security, as all users can see all devices. You cannot stop devices from broadcasting and users trying to respond to broadcasts. Your security is passwords on the servers and other devices.
By creating VLANs, you can solve many of the problems associated with layer-2 switching, as shown in the upcoming sections.
Security
One problem with the flat internetwork is that security was implemented by connecting hubs and switches together with routers. Security was maintained at the router, but anyone connecting to the physical network could access the network resources on that physical LAN. Also, a user could plug a network analyzer into the hub and see all the traffic in that network. Another problem was that users could join a workgroup by just plugging their workstations into the existing hub.
By using VLANs and creating multiple broadcast groups, administrators now have control over each port and user. Users can no longer just plug their workstations into any switch port and have access to network resources. The administrator controls each port and whatever resources it is allowed to use. Because groups can be created according to the network resources a user requires, switches can be configured to inform a network management station of any unauthorized access to network resources. If inter-VLAN communication needs to take place, restrictions on a router can also be implemented. Restrictions can also be placed on hardware addresses, protocols, and applications.
Flexibility and Scalability
Layer-2 switches only read frames for filtering; they do not look at the Network layer protocol. This can cause a switch to forward all broadcasts. However, by creating VLANs, you are essentially creating broadcast domains. Broadcasts sent out from a node in one VLAN will not be forwarded to ports configured in a different VLAN. By assigning switch ports or users to VLAN groups on a switch or group of connected switches (called a switch fabric), you have the flexibility to add only the users you want in the broadcast domain regardless of their physical location. This can stop broadcast storms caused by a faulty network interface card (NIC) or an application from propagating throughout the entire internetwork.
When a VLAN gets too big, you can create more VLANs to keep the broadcasts from consuming too much bandwidth. The fewer users in a VLAN, the fewer users affected by broadcasts. To understand how a VLAN looks to a switch, it’s helpful to begin by first looking at a traditional collapsed backbone. Figure 2 shows a collapsed backbone created by connecting physical LANs to a router.
Each network is attached to the router and has its own logical network number. Each node attached to a particular physical network must match that network number to be able to communicate on the internetwork. Now let’s look at what a switch accomplishes. Figure 3 shows how switches remove the physical boundary.
Switches create greater flexibility and scalability than routers can by themselves. You can group users into communities of interest, which are known as VLAN organizations. Because of switches, we don’t need routers anymore, right? Wrong. In Figure 3, notice that there are four VLANs or broadcast domains. The nodes within each VLAN can communicate with each other, but not with any other VLAN or node in another VLAN. When configured in a VLAN, the nodes think they are actually in a collapsed backbone as in Figure 2. What do the hosts in Figure 6.2 need to do to communicate to a node or host on a different network? They need to go through the router, or other layer- 3 device, just like when they are configured for VLAN communication, as shown in Figure 6.3. Communication between VLANs, just as in physical networks, must go through a layer-3 device.
