Home Outline Lectures Labs/Tutorials Resources

Lecture #21 - Virtual Local Area Networks (VLANs)

What is a VLAN?

A Virtual Local Area Network or VLAN is a normal switched network that has been logically segmented into smaller virtual networks. The logical segments are usually created to match the organisational structure.

VLAN Benefits

A number of benefits can result from the implementation of VLANs, including:

  • Broadcast control.
  • Improved network management.
  • Increased network segmentation/isolation.
  • Improved performance.
  • Increased security.

Physical LANs Revisited

Recall that a Local Area Network provides a single broadcast domain. Any broadcast traffic will be transmitted to all devices connected to the physical network.

If the network is constructed using hubs, a single collision domain exists and all traffic will be propagated to all hosts on the network. The use of switches will isolate hosts and only broadcast and multicast traffic will be seen by all hosts on the physical network.

VLAN Segmentation

If VLANs are implemented, segmentation is no longer limited to the physical network. Instead traffic will be isolated to a VLAN segment, which may extend over multiple physical networks. Additionally, a broadcast is confined to the VLAN and traffic will not reach all devices connected to the physical segment.

VLAN Membership

In order to create VLANs, membership to a specific VLAN must be established for particular traffic. This can be achieved via a static or dynamic mapping, using a number of methods:

Port Based
This is possibly the most common approach. A port on a switch (or a group of ports on a switch) is simply mapped to a specified VLAN.
MAC Address Based
Traffic is assigned to a VLAN based on the source MAC address. One obvious benefit of this approach is that the VLAN mapping is based on the host and it does not matter which port the device is plugged in to.
Protocol Based
The VLAN mapping is based on the network layer protocol that is encapsulated. For example, this would allow IP traffic to be segregated from IPX or NetBUEI traffic.

VLAN Tagging and 802.1Q

An interesting challenge that occurs with the implementation of VLANs is that of routing traffic between physical networks whilst maintaining the VLAN information.

IEEE 802.1q addresses this problem by allowing Ethernet frames to be "tagged" with information that identifies the VLAN membership.

802.1q tagged frames can be passed from switch to switch and are only delivered to members of the specified VLAN. It is also possible for devices to support 802.1q tagging, in which case a VLAN can be implemented over top of a non-VLAN capable switch.

Trunk Links (or Trunking)

Trunking is the process of connecting VLAN capable devices together in such a way that the VLAN membership information is maintained. Additionally the VLAN capable devices need to be configured so that they are aware of the VLAN trunk.

All VLAN capable switches need to be physically connected together to form a "trunk" - effectively the backbone for the VLANs. Each port used to connect to the trunk needs to be configured for trunking. This allows VLANs to span multiple physical networks.

When a frame leaves a switch the 802.1q tag is removed, returning the frame to a standard 802.3 format. Obviously the frames will only be switched to ports that have been mapped to the VLAN that was identified within the tag. Once the frame has exited the switch there is no longer any information that associates the frame with a VLAN.

When a frame is sent out a trunk port the 802.1q tag is left on the Ethernet frame, allowing it to be identified as belonging to a specific VLAN. Obviously this is required if another switch is to forward the traffic onto members of a VLAN that are physically connected to it.

Additionally a trunk can be formed between two 802.1q capable devices (or a switch and a device).

Trunking Protocols

In addition to manually configuring VLANs, a number of protocols exist that facilitate configuration and distribution of VLAN membership information between switches. This significantly reduces the network administration overhead, especially when a significant number of switches are involved in a VLAN configuration.

VLAN Trunking Protocol

Cisco's proprietary solution is their VLAN Trunking Protocol (VTP). When a VLAN is configured on a VTP server the VLAN information is distributed to all switches via the use of VTP advertisements. VTP information is distributed using VLAN 1.

GARP VLAN Registration Protocol

The IEEE standard is the GARP VLAN Registration Protocol or GVRP, which as the name implies, is built on top of the Generic Attribute Registration Protocol (GARP). GVRP aware devices are able to dynamically establish VLANs by propagating configuration information.

VLAN Routing

In order for traffic to cross between VLANs, the traffic must cross a router. Depending on the configuration of the network, traffic may arrive at the router without a VLAN tag in which case normal routing applies.

If the router is configured to participate in the VLAN trunks then it can accept 802.1q tagged frames, which it will decapsulate before making a routing decision. The frame will then be re-tagged and transmitted back into the trunk.

It is also possible for routing to be performed within the network via the use of "Layer 3" switches. These are effectively hybrid switches/routers that are capable of making routing decisions within the network.

References

Cisco's Overview of VLAN Routing

Cisco Catalyst Switch Virtual LAN Configuration

Javvin VLAN and 802.1q Overview

A good Introduction to VLANs

George Ou's Introduction to VLAN Trunking