Introduction

Virtual LANs (VLANs) have recently developed into an integral feature of switched LAN solutions from every major LAN equipment vendor. Although end-user enthusiasm for VLAN implementation has yet to take off, most organizations have begun to look for vendors that have a well-articulated VLAN strategy, as well as VLAN functionality built into products today. One of the reasons for the attention placed on VLAN functionality now is the rapid deployment of LAN switching that began in 1994/1995. So VLANs are an exciting new field which provides Local Area Network functionality at Wide Area Network locations with costs as low as a typical Internet connection.
 

Defining VLANs

What is a VLAN? With the multitude of vendor-specific VLAN solutions and implementation strategies, defining precisely what VLANs are has become a contentious issue. Nevertheless, most people would agree that a VLAN can be roughly equated to a broadcast domain. More specifically, VLANs can be seen as analogous to a group of end-stations, perhaps on multiple physical LAN segments, that are not constrained by their physical location and can communicate as if they were on a common LAN.

However, at this point, issues such as the extent to which end-stations are not constrained by physical location, the way VLAN membership is defined, the relationship between VLANs and routing, and the relationship between VLANs and ATM have been left up to each vendor. To a certain extent these are tactical issues, but how they are resolved has important strategic implications.

Because there are several ways in which VLAN membership can be defined, this paper divides VLAN solutions into four general types: port grouping, MAC-layer grouping, network-layer grouping, and IP multicast grouping. We will discuss the issue of manual vs. automatic VLAN configuration, and describe techniques by which VLANs may be extended across multiple switches in the network. Finally, the paper takes a look at the present state of VLAN standards.
 
 

What are VLAN's?

In a traditional LAN, workstations are connected to each other by means of a hub or a repeater. These devices propagate any incoming data throughout the network. However, if two people attempt to send information at the same time, a collision will occur and all the transmitted data will be lost. Once the collision has occurred, it will continue to be propagated throughout the network by hubs and repeaters. The original information will therefore need to be resent after waiting for the collision to be resolved, thereby incurring a significant wastage of time and resources. To prevent collisions from traveling through all the workstations in the network, a bridge or a switch can be used. These devices will not forward collisions, but will allow broadcasts (to every user in the network) and multicasts (to a pre-specified group of users) to pass through. A router may be used to prevent broadcasts and multicasts from traveling through the network.

The workstations, hubs, and repeaters together form a LAN segment. A LAN segment is also known as a collision domain since collisions remain within the segment. The area within which broadcasts and multicasts are confined is called a broadcast domain or LAN. Thus a LAN can consist of one or more LAN segments. Defining broadcast and collision domains in a LAN depends on how the workstations, hubs, switches, and routers are physically connected together. This means that everyone on a LAN must be located in the same area.
VLAN's allow a network manager to logically segment a LAN into different broadcast domains. Since this is a logical segmentation and not a physical one, workstations do not have to be physically located together. Users on different floors of the same building, or even in different buildings can now belong to the same LAN.
VLAN's also allow broadcast domains to be defined without using routers. Bridging softwareis used instead to define which workstations are to be included in the broadcast domain Routers would only have to be used to communicate between two VLAN's
 

So, VLAN can be described as follows:

A virtual (or logical) LAN is a local area network with a definition that maps workstations on some other basis than geographic location (for example, by department, type of user, or primary application). The virtual LAN controller can change or add workstations and manage loadbalancing and bandwidth allocation more easily than with a physical picture of the LAN. Network management software keeps track of relating the virtual picture of the local area network with the actual physical picture.

VLAN is a new service available through the combined efforts of several companies. The client side of the VLAN is completely web based and is accessed using unique software installed on each workstation. Virtual LAN Technologies provides the service, interconnecting you wherever you are throughout the world, providing convenient access to your data and programs.

The idea behind this service is to provide file & application sharing to people who are always on the go. By constantly changing they're physical location, its difficult or impossible for say a sales team to share large amounts of data or programs in a convenient way. This service solves that, by making any amount of data very easily accessible anytime, anywhere in the world. It also works well for creating a custom Extranet for you and your clients.
 
 

VLAN components

The following components are essential for VLAN solutions. They provide the scalability necessary for migrating from an installed base of shared LAN technologies to the latest architecture of per-user switched communications

LAN Segmentation

VLANs allow logical network topologies to overlay the physical switched infrastructure such that any arbitrary collection of LAN ports can be combined into an autonomous user group or community of interest. The technology logically segments the network into separate Layer 2 broadcast domains whereby packets are switched between ports designated to be within the same VLAN. By containing traffic originating on a particular LAN only to other LANs in the same VLAN, switched virtual networks avoid wasting bandwidth, a drawback inherent to traditional bridged and switched networks in which packets are often forwarded to LANs with no need for them. Implementation of VLANs also improves scalability, particularly in LAN environments that support broadcast- or multicast-intensive protocols and applications that flood packets throughout the network.
 

Inter-VLAN Communications

The Cisco IOS supports full routing of several protocols over ISL and ATM LANE virtual LANs. IP, Novell IPX, and AppleTalk routing are supported over IEEE 802.10 VLANs. Standard routing attributes, such as network advertisements, secondaries, and help addresses are applicable and VLAN routing is fast switched. The following table shows protocols supported for each VLAN encapsulation format and corresponding Cisco IOS releases.

Inter-VLAN Routing Protocol Support
 
Protocol 
ISL 
ATM LANE 
IEEE 802.10 
IP  Release 11.1  Release 10.3  Release 11.1 
Novell IPX (default encapsulation)  Release 11.1  Release 10.3  Release 11.1 
Novell IPX (configurable encapsulation)  Release 11.3  Release 10.3  Release 11.3 
AppleTalk Phase II  Release 11.3  Release 10.3   
DECnet  Release 11.3  Release 11.0   
Banyan VINES  Release 11.3  Release 11.2   
XNS  Release 11.3  Release 11.2   

VLAN Translation

VLAN translation refers to the ability of the Cisco IOS software to translate between different virtual LANs or between VLAN and non-VLAN encapsulating interfaces at Layer 2. Translation is typically used for selective inter-VLAN switching of non-routable protocols and to extend a single VLAN topology across hybrid switching environments. It is also possible to bridge VLANs on the main interface; the VLAN encapsulating header is preserved. Topology changes in one VLAN domain do not affect a different VLAN.
 
 

Designing Switched VLANs

By the time you are ready to configure routing between VLANs, you will have already defined them through the switches in your network. Issues related to network design and VLAN definition should be addressed during your network design. Refer to the Cisco Internetworking Design Guide and appropriate switch documentation for information on these topics:

What to look for in a switch's virtual LAN capability

Every switch manufacturer recognizes the need to support some form of virtual LAN, and often a vendor's virtual LAN capability is parallel with their switching capability. However there are some features that any good VLAN capability will have:

Multiple media types

A VLAN (and its associated switch(es)) should be capable of accommodating different media types. Switched networks are moving to structures which allow central resources (a backbone) to run at greater speeds than workstations. An example of this could be 10 Mbps Ethernet workstations accessing a server connected to a switch by 100 Mbps Ethernet, Gigabit Ethernet or ATM. An administrator should be sure that the VLAN capability of their switch handles any media type currently used by their organization as well as any media that may be integrated in the future.
 
 

Switches and hubs

For years network planners have designed LANs using hubs and routers. A huge infrastructure is now in place that can't be replaced overnight. Even if that were possible--it's not justifiable since most users do not have the bandwidth demands that require a dedicated switch port. Network managers can place users who don't require a dedicated switch port to a port on a hub. Hubs can then be connected to a port on a switch --a similar configuration to what network managers have done for years with routers.

Each switch port should be capable of supporting multiple virtual LANs. This way even though the workstations attached to the hub don't have their own dedicated switch port they can still be connected to VLANs.
 
 

Switches combined with routing

Some LAN switches are capable of performing layer-three routing (IP and IPX). This provides a mechanism for moving data between virtual LANs. However, billions of dollars of multiprotocol routers are already installed in networks and users of these products have made substantial investments in installing and learning to use these devices. One way (and possibly the best way) to use routers is to use them as links between virtual LANs. This way routers do what they're best at--routing.

 Servers supporting multiple VLANs

Much like the workstations accessing them, servers have grown infinitely more powerful than those that were used just 5 years ago. Large numbers of workstations now connect to large, powerful servers. In router/hub networks, this often means that information requests from a workstation have to go out on its own segment, across a backbone to a server, then the information from the server is sent back the same way. If requests from end stations must always cross the backbone, then a bottleneck in the backbone is likely to occur. In addition, every time a frame passes through a router on its way to and from the server its hop count and route information is updated. This is known as latency. With advanced VLAN implementations, servers are part of multiple VLANs. Information doesn't have to pass through routers or be broadcast across the backbone. Broadcast information is contained within each VLAN and doesn't spread needlessly throughout the network.
 
 

Workstations connecting to multiple virtual LANs

Some workstations need to be connected to more than one virtual LAN. For instance if a network manager creates a VLAN for every department in a company, then each vice president may need to be part of an executive VLAN as well as a VLAN for their respective departments (i.e. the vice president of sales would also have access to a sales VLAN).

In another example, a workstation might be using Novell NetWare to obtain access to departmental file server, and TCP/IP to connect with a corporate enterprise application running on a UNIX machine. These two resources would logically be placed on separate virtual LANs. This way TCP/IP network traffic is kept to TCP/IP workstations and doesn't effect IPX traffic. Likewise the IPX traffic doesn't interfere with the TCP/IP application.
 
 

Multiple switch networks

Virtual LANs are of little benefit if they can't span multiple switches. The need for switching is greatest in mid-sized and larger organizations, which usually need multiple switches. Some way is needed to link workstations and servers which are connected to a number of switches into a single virtual LAN.
 
 

FDDI backbones

FDDI is a proven and reliable high-speed backbone technology that many organizations have used successfully for years. FDDI standards are mature and many organizations do not want to displace their FDDI investments. Not all vendor's virtual LAN implementation supports FDDI. If integrators want to use their existing FDDI media then they need to be sure that the VLANs a switch offers has support for FDDI as well as other emerging technologies.

ATM

ATM is the standard that encompasses a wide variety of data types (data, image, voice, video). In addition, it has a wide geographic scope (LAN, MAN, WAN). ATM speed can be anywhere from 56 Kbps to 622 Mbps now and even faster speeds in the future. It's currently pretty expensive, and most users are postponing installing it to the desktop. But it's quickly becoming a strong alternative to FDDI as a backbone technology, and fairly soon it will become widely used for server connectivity.

If an organization uses ATM in the backbone they should bear in mind that the switching options which may be suitable now may not be optimal in the future. Generally the more powerful and flexible the standard, the further it is from final standardization and widespread implementation. It's important that a virtual LAN mechanism be able to operate efficiently across ATM backbones while ATM LAN Emulation (LANE) and Multi-Protocol Over ATM (MPOA) standards are being finalized, implemented and tested. Xylan is committed to meeting ATM standards and utilizing ATM with virtual LANs.
 
 

Adds, moves, and changes

In many networks it's common for devices to move frequently within a building or campus. Network administrators should be able to assign devices to virtual LANs and never have to reassign them--no matter where they move to.
 
 

Speed of operation

Organizations are migrating to switching to provide high bandwidth to users at a low price, VLANs should not effect a network's speed. VLANs should operate at wire speed.
 
 

VLANs should support:


Policies of virtual LAN

In order to reduce the complexity of network management, we can define VLANs in different ways using different policies.

  1. Port based VLAN

    2. It is the simplest form of VLANs which is just a collection of different ports in a LAN switch or a number of switches. But it cannot address to the problem of adding device, or changing the physical location of device in the network.
  2. MAC address based VLAN

    3. In this form of VLAN, there is a list of MAC addresses in each VLAN. This model can track network devices automatically when they change their location. However, it may be so easy to manage a large numbers of MAC addresses.
  3. Layer three based VLAN

    4. It is possible to build VLAN based on the IP subnet address, the IPX network number and so on. It gives much flexibility to the network administrator and is easier to manage than the MAC address based VLANs.
4. Policy based VLAN
It is the most flexible VLAN implementation. A policy based VLAN can include all the ways mentioned above of defining a VLAN and it is possible to select a method suitable for a particular network.
 

Types of VLANs

Recognizing the many uses of VLANs, Digital will provide the most comprehensive VLAN capability in the industry by supporting the broadest range of membership policies and addressing schemes within its enVISN architecture:

 

Connections

Cisco ATM software provides support for any combination of the following connection types:

Permanent Virtual Circuit (PVC)

A Permanent Virtual Circuit (PVC) is a virtual channel that is manually established between ATM endstations. A PVC is statically configured and requires that each direction of the connection be manually configured at the endstation to identify the other. Also, Virtual Path Identifier (VPI) and Virtual Circuit Identifier (VCI) tables must be configured in switches and in endstations for the entire path of the connection. A network management system may aid in the management of PVC connections.

Ideally, PVC connections should only be implemented if there are relatively few endstations, where the endstations are not likely to be physically moved or removed from the network, and/or SVC signaling software is not available for connected network devices. For example, if one endstation is removed, all remaining endstations connected to the node will require modification (i.e., to delete the PVC entry for the removed node from the VPI/VCI table). Once a PVC is established between two endstations, it remains as a permanent connection until one of the endstations terminates the link.
 
 

Signaling / Switched Virtual Circuit (SVC)

Signaling provides a mechanism to establish SVC connections between endpoint devices. In operation, signaling messages are exchanged over the predefined signaling channel, where VPI = 0 and VCI = 5. The switch and the endstation negotiate an available channel and the SVC is established. This allows for dynamic communication between the switch and the end station.

A Switched Virtual Circuit (SVC) is a virtual channel that is dynamically established, using signaling software, between ATM endstations. Signaling software in the Cisco ATM driver (on the host system) negotiates through the ATM switch over a specific VPI/VCI channel (0/5). An available channel is identified and an SVC connection is established.

SVC connections provide more efficient resource utilization and universal connectivity. Unlike PVC connections, SVC connections support automated administration and do not require a network management system for configuration of the channel. In fact, an administrator of the ATM address (i.e., connection table) is the only management required for SVC operation; this requirement is further simplified if ILMI is available.

SVC connections are virtual channels that are both dynamically opened and dynamically closed. If the channel is not used for a specified period of time, then it closes, to optimize resources.
 
 

Routing Between VLANs

VLANs can be used to establish broadcast domains within the network as routers do, but they cannot forward traffic from one VLAN to another. Routing is still required for inter-VLAN traffic. Optimal VLAN deployment is predicated on keeping as much traffic from traversing the router as possible. Minimizing this traffic reduces the chance of the router developing into a bottleneck. As a result, the corollary to "switch when you can, route when you must", in a VLAN environment becomes "routing is only used to connect VLANs".

Having said this, however, it should be kept in mind that, in some cases, routing may not prove to be much of a bottleneck. As mentioned earlier, integrating routing functionality into the backbone switch, eliminates this bottleneck if this routing is accomplished at wire-speed for inter-VLAN packets.
 
 

Extending VLANs From the Workgroup to the Enterprise

The Cisco Catalyst 5000 switching system delivers enterprise-wide VLAN communications by handling up to 1,024 switched virtual LANs without any switching performance degradation. These VLANs can be interconnected between switches and routers using three high-speed backbone technologies: 100Base-T Fast Ethernet, Fiber Distributed Data Interface (FDDI) and Asynchronous Transfer Mode (ATM).

Advantages

VLAN's offer a number of advantages over traditional LAN's. They are:

1) Performance

In networks where traffic consists of a high percentage of broadcasts and multicasts, VLAN's can reduce the need to send such traffic to unnecessary destinations. For example, in a broadcast domain consisting of 10 users, if the broadcast traffic is intended only for 5 of the users, then placing those 5 users on a separate VLAN can reduce traffic. Compared to switches, routers require more processing of incoming traffic. As the volume of traffic passing through the routers increases, so does the latency in the routers, which results in reduced performance. The use of VLAN's reduces the number of routers needed, since VLAN's create broadcast domains using switches instead of routers.
 
 

2) Formation of Virtual Workgroups

Nowadays, it is common to find cross-functional product development teams with members from different departments such as marketing, sales, accounting, and research. These workgroups are usually formed for a short period of time. During this period, communication between members of the workgroup will be high. To contain broadcasts and multicasts within the workgroup, a VLAN can be set up for them. With VLAN's it is easier to place members of a workgroup together. Without VLAN's, the only way this would be possible is to physically move all the members of the workgroup closer together. However, virtual workgroups do not come without problems. Consider the situation where one user of the workgroup is on the fourth floor of a building, and the other workgroup members are on the second floor. Resources such as a printer would be located on the second floor, which would be inconvenient for the lone fourth floor user. Another problem with setting up virtual workgroups is the implementation of centralized server farms, which are essentially collections of servers and major resources for operating a network at a central location. The advantages here are numerous, since it is more efficient and cost-effective to provide better security, uninterrupted power supply, consolidated backup, and a proper operating environment in a single area than if the major resources were scattered in a building. Centralized server farms can cause problems when setting up virtual workgroups if servers cannot be placed on more than one VLAN. In such a case, the server would be placed on a single VLAN and all other VLAN's trying to access the server would have to go through a router; this can reduce performance [Netreference Inc. article].

3) Simplified Administration

Seventy percent of network costs are a result of adds, moves, and changes of users in the network. Every time a user is moved in a LAN, recabling, new station addressing, and reconfiguration of hubs and routers becomes necessary. Some of these tasks can be simplified with the use of VLAN's. If a user is moved within a VLAN, reconfiguration of routers is unnecessary. In addition, depending on the type of VLAN, other administrative work can be reduced or eliminated. However the full power of VLAN's will only really be felt when good management tools are created which can allow network managers to drag and drop users into different VLAN's or to set up aliases. Despite this saving, VLAN's add a layer of administrative complexity, since it now becomes necessary to manage virtual workgroups

4) Reduced Cost

VLAN's can be used to create broadcast domains which eliminate the need for expensive routers.

5) Security

Periodically, sensitive data may be broadcast on a network. In such cases, placing only those users who can have access to that data on a VLAN can reduce the chances of an outsider gaining access to the data. VLAN's can also be used to control broadcast domains, set up firewalls, restrict access, and inform the network manager of an intrusion

 Uses & Benefits of Virtual Lans

Use Virtual LAN to:
... Share documents in a geographically dispersed workgroup
... Develop your own Web site
... Exchange files with clients or business associates
... Provide customer or product support
 
 

What do VLANs enable?

Benefits of VLANs in a Switched Environment

… Ethernets LANs were a single collision domain and broadcast domain

… Bridges broke Ethernet into mulitple collision domains, but were still one broadcast

domains.

… Routers broke Ethernet into multiple collision domains, and contained broadcasts within

each domain ------ Expensive, complicated and slow

… Switches broke Ethernet into multiple collision domains and use VLANs to contain

broadcasts within each domain ------ Fast, Cheap and Simple

Conclusion

VLANs offer significant cost and performance benefits for a majority of the LANs installed today. These benefits are realized as network managers migrate to switched LAN architectures across the enterprise. And while VLANs are an integral part of ATM architectures, the concept and much of the technology has been designed into LAN-based switches that offer similar benefits across shared-LAN backbones. Further, end users' application need not change to realize these benefits. VLANs, as part of switching architecture, are invisible to end-users. Finally, VLANs are more than simply a shared hub, routing, switching, or network management solution. It is the combination of all these components that provides powerful segmentation and efficient administration across the network.
 
 

References
 
 

Acknowledgement

I lastly acknowledge Prof Prof Abdelshakour Abuzneid for his excellent support he had given to us in the class by which I completed this project successfully. I except the same kind of support from him in the future.