Virtual LAN

From Wikipedia, the free encyclopedia

A virtual LAN, commonly known as a vLAN or as a VLAN, is a method of creating independent logical networks within a physical network. Several VLANs can co-exist within such a network. This helps in reducing the broadcast domain and administratively separating logical segments of LAN (like company departments) which should not exchange data using LAN (they still can by routing).

A VLAN consists of a network of computers that behave as if connected to the same wire - even though they may actually be physically connected to different segments of a LAN. Network administrators configure VLANs through software rather than hardware, which makes them extremely flexible. One of the biggest advantages of VLANs emerges when physically moving a computer to another location: it can stay on the same VLAN without the need for any hardware reconfiguration.

VLAN 1 is the default VLAN; it can never be deleted. All untagged traffic falls into this VLAN by default.

Contents 1 Advantages of VLAN 2 Protocols and design 3 Assigning VLAN Memberships 4 References 5 External links

[edit] Advantages of VLAN

• Increases the number of broadcast domains but reduces the size of each broadcast domain, which in turn reduces network traffic and increases network security (both of which are hampered in case of single large broadcast domain)
• Reduces management effort to create subnetworks
• Reduces hardware requirement, as networks can be logically instead of physically separated
• Increases control over multiple traffic types.

[edit] Protocols and design

The IEEE 802.1Q tagging protocol dominates the VLAN world. Prior to the introduction of 802.1Q several proprietary protocols existed, such as Cisco's ISL (Inter-Switch Link, a variant of IEEE 802.10) and 3Com VLT (Virtual LAN Trunk). ISL is no longer supported by Cisco.

Early network designers often configured VLANs with the aim of reducing the size of the collision domain in a large single Ethernet segment and thus of improving performance. When Ethernet switches made this a non-issue (because they have no collision domain), attention turned to reducing the size of the broadcast domain at the MAC layer. Virtual networks can also serve to restrict access to network resources without regard to physical topology of the network, although the strength of this method remains debatable as VLAN Hopping is a common means of bypassing such security measures.

Virtual LANs operate at layer 2 (the data link layer) of the OSI model. However, administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving layer 3 (the network layer).

In the context of VLANs, the term "trunk" denotes a network link carrying multiple VLANs which are identified by labels (or "tags") inserted into their packets. Such trunks must run between "tagged ports" of VLAN-aware devices, so are often switch-to-switch or switch-to-router links rather than links to hosts. (Confusingly, the term 'trunk' also gets used for what Cisco call "channels" : Link Aggregation or Port Trunking). A router (Layer 3 switch) serves as the backbone for network traffic going across different VLANs.

On Cisco devices, VTP (VLAN Trunking Protocol) allows for VLAN domains, which can aid in administrative tasks. VTP also allows "pruning", which involves directing specific VLAN traffic only to switches which have ports on the target VLAN.

[edit] Assigning VLAN Memberships

The four ways that are in use are:

• Port-based: A switch port is manually configured to be a member of a VLAN. This method only works if all machines on the port belong to the same VLAN.
• MAC-based: VLAN membership is based on the MAC address of the workstation. The switch has a table listing of the MAC address of each machine, along with the VLAN to which it belongs.
• Protocol-based: Layer 3 data within the frame is used to determine VLAN membership. For example, IP machines can be classified as the first VLAN, and AppleTalk machines as the second. The major disadvantage of this method is that it violates the independence of the layers, so an upgrade from IPv4 to IPv6, for example, will cause the switch to fail.
• Authentication based: Devices can be automatically placed into VLANs based on the authentication credentials of a user or device using the 802.1x protocol

[edit] References

• Andrew S. Tanenbaum, 2003, "Computer Networks", Pearson Education International, New Jersey.

[edit] External links

• IEEE's 802.1Q standard 1998 version (2003 version)
• Cisco's Overview of Routing between Virtual LANs
• Cisco's Bridging Between IEEE 802.1Q VLANs white paper
• University of California's VLAN Information
• OpenWRT guide to VLANs: Provides a good beginners guide to all VLANS
• Some FAQ about the VLANs