Virtual LAN
A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2).[1][2] LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic. VLANs work through tags within network packets and tag handling in networking systems - recreating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep networks separate despite being connected to the same network, and without requiring multiple sets of cabling and networking devices to be deployed.
VLANs allow network administrators to group hosts together even if the hosts are not on the same network switch. This can greatly simplify network design and deployment, because VLAN membership can be configured through software. Without VLANs, grouping hosts according to their resource needs necessitates the labor of relocating nodes or rewiring data links. It also has benefits in allowing networks and devices that must be kept separate to share the same physical cabling without interacting, for reasons of simplicity, security, traffic management, or economy. For example, a VLAN could be used to separate traffic within a business due to users, and due to network administrators, or between types of traffic, so that users or low priority traffic cannot directly affect the rest of the network's functioning. Many Internet hosting services use VLANs to separate their customers' private zones from each other, allowing each customer's servers to be grouped together in a single network segment while being located anywhere in their datacenter. Some precautions are needed to prevent traffic "escaping" from a given VLAN, an exploit known as VLAN hopping.
To subdivide a network into virtual LANs, one configures network equipment. Simpler equipment can partition only per physical port (if at all), in which case each VLAN is connected with a dedicated network cable. More sophisticated devices can mark frames through VLAN tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Since VLANs share bandwidth, a VLAN trunk can use link aggregation, quality-of-service prioritization, or both to route data efficiently.
Uses
Network architects set up VLANs to provide the network segmentation services traditionally provided by routers only in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies filter broadcast traffic, enhance network security, perform address summarization, and mitigate network congestion. Switches may not bridge network traffic between VLANs, as doing so would violate the integrity of the VLAN broadcast domain.
In a network based on broadcasts to all listeners to find peers, as the number of peers on a network grows, the frequency of broadcasts also increases, potentially to a point such that much of the network time and capacity is occupied with sending broadcasts exclusively among all members. VLANs can help reduce network traffic by forming multiple broadcast domains, to break up a large network into smaller independent segments with less total broadcast traffic being sent to every device on the overall network.
VLANs can also help create multiple layer 3 networks on a single physical infrastructure. For example, if a Dynamic Host Configuration Protocol (DHCP) server is plugged into a switch it will serve any host on that switch that is configured for DHCP. By using VLANs, the network can be easily split up, so some hosts will not use that DHCP server and will obtain link-local addresses, or obtain an address from a different DHCP server.
VLANs are data link layer (OSI layer 2) constructs, analogous to Internet Protocol (IP) subnets, which are network layer (OSI layer 3) constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN.
In a legacy network, users were assigned to networks based on geography and were limited by physical topologies and distances. VLANs can logically group networks to decouple the users' network location from their physical location. By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.[2]
VLANs can be used to partition a local network into several distinctive segments,[3] for example:
- Production
- Voice over IP
- Network management
- Storage area network (SAN)
- Guest Internet access network
- Demilitarized zone (DMZ)
- Client separation (ISP, in a large facility, or in a datacenter)
A common infrastructure shared across VLAN trunks can provide a measure of security with great flexibility for a comparatively low cost. Quality of service schemes can optimize traffic on trunk links for real-time (e.g. VoIP) or low-latency requirements (e.g. SAN). However, VLANs as a security solution should be implemented with great care as they can be defeated unless implemented very carefully.[4]
In cloud computing VLANs, IP addresses, and MAC addresses in the cloud are resources that end users can manage. Placing cloud-based virtual machines on VLANs may be preferable to placing them directly on the Internet to help mitigate security issues.[5]
History
After successful experiments with voice over Ethernet from 1981 to 1984, Dr. W. David Sincoskie joined Bellcore and began addressing the problem of scaling up Ethernet networks. At 10 Mbit/s, Ethernet was faster than most alternatives at the time. However, Ethernet was a broadcast network and there was no good way of connecting multiple Ethernet networks together. This limited the total bandwidth of an Ethernet network to 10 Mbit/s and the maximum distance between any two nodes to a few hundred feet.
By contrast, although the existing telephone network's peak speed for individual connections was limited to 56 kbit/s (less than one hundredth of Ethernet's speed), the total bandwidth of that network was estimated at 1 Tbit/s, capable of moving over a hundred thousand times more information in a given timescale.
Although it was possible to use IP routing to connect multiple Ethernet networks together, it was expensive and relatively slow. Sincoskie started looking for alternatives that required less processing per packet. In the process he independently reinvented the self-learning Ethernet switch.[6]
However, using switches to connect multiple Ethernet networks in a fault-tolerant fashion requires redundant paths through that network, which in turn requires a spanning tree configuration. This ensures that there is only one active path from any source node to any destination on the network. This causes centrally located switches to become bottlenecks, which limits scalability as more networks are interconnected.
To help alleviate this problem, Sincoskie invented VLANs by adding a tag to each Ethernet frame. These tags could be thought of as colors, say red, green, or blue. Then each switch could be assigned to handle frames of a single color, and ignore the rest. The networks could be interconnected with three spanning trees, one for each color. By sending a mix of different frame colors, the aggregate bandwidth could be improved. Sincoskie referred to this as a multitree bridge. He and Chase Cotton created and refined the algorithms necessary to make the system feasible.[7] This "color" is what is now known in the Ethernet frame as the IEEE 802.1Q header, or the VLAN tag. While VLANs are commonly used in modern Ethernet networks, using them for the original purpose would be rather unusual.
In 2003, Ethernet VLANs were described in the first edition of the IEEE 802.1Q standard.[8]
In 2012, the IEEE approved IEEE 802.1aq (shortest path bridging) to standardize load-balancing and shortest path forwarding of (multicast and unicast) traffic allowing larger networks with shortest path routes between devices. In 802.1aq Shortest Path Bridging Design and Evolution: The Architect's Perspective David Allan and Nigel Bragg stated that shortest path bridging is one of the most significant enhancements in Ethernet's history.[9]
Configuration and design considerations
Early network designers often configured VLANs with the aim of reducing the size of the collision domain in a large single Ethernet segment and thus improving performance. When Ethernet switches made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the broadcast domain at the MAC layer. A VLAN can also serve to restrict access to network resources without regard to physical topology of the network, although the strength of this method remains debatable as VLAN hopping is a means of bypassing such security measures if not prevented. VLAN hopping can be mitigated with proper switchport configuration.[10]
VLANs operate at Layer 2 (the data link layer) of the OSI model. Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving Layer 3 (the network layer). In the context of VLANs, the term "trunk" denotes a network link carrying multiple VLANs, which are identified by labels (or "tags") inserted into their packets. Such trunks must run between "tagged ports" of VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone for network traffic going across different VLANs.
A basic switch not configured for VLANs has VLAN functionality disabled or permanently enabled with a default VLAN that contains all ports on the device as members.[2] The default VLAN typically has an ID of 1. Every device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting each group using a distinct switch for each group.
It is only when the VLAN port group is to extend to another device that tagging is used. Since communications between ports on two different switches travel via the uplink ports of each switch involved, every VLAN containing such ports must also contain the uplink port of each switch involved, and traffic through these ports must be tagged.
Management of the switch requires that the administrative functions be associated with one or more of the configured VLANs. If the default VLAN were deleted or renumbered without first moving the management connection to a different VLAN, it is possible for the administrator to be locked out of the switch configuration, normally requiring physical access to the switch to regain management by either a forced clearing of the device configuration (possibly to the factory default), or by connecting through a console port or similar means of direct management.
Switches typically have no built-in method to indicate VLAN port members to someone working in a wiring closet. It is necessary for a technician to either have administrative access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet. These charts must be manually updated by the technical staff whenever port membership changes are made to the VLANs.
Generally, VLANs within the same organization will be assigned different non-overlapping network address ranges. This is not a requirement of VLANs. There is no issue with separate VLANs using identical overlapping address ranges (e.g. two VLANs each use the private network 192.168.0.0/16). However, it is not possible to route data between two networks with overlapping addresses without delicate IP remapping, so if the goal of VLANs is segmentation of a larger overall organizational network, non-overlapping addresses must be used in each separate VLAN.
Network technologies with VLAN capabilities include:
- Asynchronous Transfer Mode (ATM)
- Fiber Distributed Data Interface (FDDI)
- Ethernet
- HiperSockets
- InfiniBand
Protocols and design
The protocol most commonly used today to configure VLANs is IEEE 802.1Q. The IEEE committee defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco Inter-Switch Link (ISL) and 3Com's Virtual LAN Trunk (VLT). Cisco also implemented VLANs over FDDI by carrying VLAN information in an IEEE 802.10 frame header, contrary to the purpose of the IEEE 802.10 standard.
Both ISL and IEEE 802.1Q tagging perform "explicit tagging" - the frame itself is tagged with VLAN information. ISL uses an external tagging process that does not modify the Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and therefore does modify the Ethernet frame. This internal tagging is what allows IEEE 802.1Q to work on both access and trunk links: standard Ethernet frames are used and so can be handled by commodity hardware.
IEEE 802.1Q
Under IEEE 802.1Q, the maximum number of VLANs on a given Ethernet network is 4,094 (the 4,096 provided for by the 12-bit VID field minus reserved values 0x000 and 0xFFF). This does not impose the same limit on the number of IP subnets in such a network, since a single VLAN can contain multiple IP subnets. IEEE 802.1ad extends 802.1Q by adding support for multiple, nested VLAN tags ('QinQ'). Shortest Path Bridging (IEEE 802.1aq) expands the VLAN limit to 16 million.
Cisco Inter-Switch Link (ISL)
Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect multiple switches and maintain VLAN information as traffic travels between switches on trunk links. This technology provides one method for multiplexing bridge groups (VLANs) over a high-speed backbone. It is defined for Fast Ethernet and Gigabit Ethernet, as is IEEE 802.1Q. ISL has been available on Cisco routers since Cisco IOS Software Release 11.1.
With ISL, an Ethernet frame is encapsulated with a header that transports VLAN IDs between switches and routers. ISL does add overhead to the frame as a 26-byte header containing a 10-bit VLAN ID. In addition, a 4-byte CRC is appended to the end of each frame. This CRC is in addition to any frame checking that the Ethernet frame requires. The fields in an ISL header identify the frame as belonging to a particular VLAN.
A VLAN ID is added only if the frame is forwarded out a port configured as a trunk link. If the frame is to be forwarded out a port configured as an access link, the ISL encapsulation is removed.
Cisco VLAN Trunking Protocol (VTP)
Multiple VLAN Registration Protocol
Shortest Path Bridging
IEEE 802.1aq (Shortest Path Bridging SPB) allows all paths to be active with multiple equal cost paths, provides much larger layer 2 topologies (up to 16 million compared to the 4096 VLANs limit), faster convergence times, and improves the use of the mesh topologies through increased bandwidth and redundancy between all devices by allowing traffic to load share across all paths of a mesh network.
Establishing VLAN memberships
The two common approaches to assigning VLAN membership are as follows:
- Static VLANs
- Dynamic VLANs
Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.
Dynamic VLANs are created using software or by protocol. With a VLAN Management Policy Server (VMPS), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the switch queries a database for the VLAN membership of the port that device is connected to. Protocol methods include Multiple VLAN Registration Protocol (MVRP) and the somewhat obsolete GARP VLAN Registration Protocol (GVRP).
Protocol-based VLANs
In a switch that supports protocol-based VLANs, traffic is handled on the basis of its protocol. Essentially, this segregates or forwards traffic from a port depending on the particular protocol of that traffic; traffic of any other protocol is not forwarded on the port.
For example, it is possible to connect the following to a given switch:
- A host generating Address Resolution Protocol (ARP) traffic to port 10
- A network with Internetwork Packet Exchange (IPX) traffic to port 20
- A router forwarding IP traffic to port 30
If a protocol-based VLAN is created that supports IP and contains all three ports, this prevents IPX traffic from being forwarded to ports 10 and 30, and ARP traffic from being forwarded to ports 20 and 30, while still allowing IP traffic to be forwarded on all three ports.
VLAN Cross Connect
VLAN Cross Connect (CC) is a mechanism used to create Switched VLANs, VLAN CC uses IEEE 802.1ad frames where the S Tag is used as a Label as in MPLS. IEEE approves the use of such a mechanism in part 6.11 of IEEE 802.1ad-2005.
See also
- HVLAN
- Multiple VLAN Registration Protocol
- GARP VLAN Registration Protocol
- Private VLAN
- Virtual network
- VLAN access control list
- VoIP recording
- Virtual Extensible LAN (VXLAN)
- Virtual Private LAN Service
- Virtual private network
- Switch virtual interface
- Wide Area Network
- Software-defined networking
References
- ↑ IEEE 802.1Q-2011, 1. Overview
- 1 2 3 IEEE 802.1Q-2011, 1.4 VLAN aims and benefits
- ↑ "Engineering - Discovery Publication" (PDF). Discovery Institute. Retrieved 18 June 2015.
- ↑ SANS Institute InfoSec Reading Room SANS Institute
- ↑ Amies A, Wu C F, Wang G C, Criveti M (2012). Networking on the cloud IBM developerWorks, June 21.
- ↑ Sincoskie, WD (2002) "Broadband packet switching: a personal perspective." IEEE Commun 40: 54-66
- ↑ W. D. Sincoskie and C. J. Cotton, "Extended Bridge Algorithms for Large Networks" IEEE Network, Jan. 1988.
- ↑ IEEE Std. 802.1Q-2003, Virtual Bridged Local Area Networks (PDF; 3.5 MiB). ISBN 0-7381-3663-8.
- ↑ Allan, David; Bragg, Nigel (2012). 802.1aq Shortest Path Bridging Design and Evolution: The Architects' Perspective. New York: Wiley. ISBN 978-1-118-14866-2.
- ↑ Rik Farrow. "VLAN Insecurity". Archived from the original on 2014-04-21.
Further reading
- Andrew S. Tanenbaum, 2003, "Computer Networks", Pearson Education International, New Jersey.
External links
- IEEE's 802.1Q standard 1998 version (2003 version)(2005 version)
- Cisco home page for Virtual LANs/VLAN Trunking Protocol (VLANs/VTP) (discusses DSL, DTP, GVRP, ISL, VTP, 802.1Q)
- Cisco's Overview of Routing between VLANs
- University of California's VLAN Information
- OpenWRT guide to VLANs: Provides a beginners' guide to VLANs
- Study of VLAN usage in Purdue University's Campus Network
- Towards Systematic Design of Enterprise Networks: Demonstrates how to systematically produce a VLAN design
- VLAN And Benefits: Provides basic VLAN information and configuration steps.