Virtual Local Area Networks VLAN A Brief Introduction
Virtual Local Area Networks (VLAN) A Brief Introduction Shang Juh Kao Dept. of Computer Science and Engineering National Chung University 2020/12/3 CSE, NCHU 1
Table of Contents 1. 2. 3. 4. Introduction VLAN Architecture Broadcast Domains & VLAN Operations Frame Processing & Traffic between VLANs 2020/12/3 2 CSE, NCHU
Introduction to VLAN Definition of VLAN ü Virtual LAN is a logical network which connects stations just like they are physically connected. Characteristics of VLAN l l l Flexibility – dynamically addition or deletion of member of a VLAN Broadcast Domain – all members should get messages sent from other and other member. Firewall Effect – stations belong to different VLAN can’t communicate directly. 2020/12/3 CSE, NCHU 3
LANs vs. VLANs l In a traditional LAN. . . l l l Users are grouped physically based on the hub they are plugged into Routers segment the LAN and provide broadcast boundaries In VLANs. . . l l Group users logically by function, department or application Configuration is done through special software 6
A sample VLAN network Source: Cisco IOS Switching Services Configuration Guide 7
Introduction to VLAN (1/2) Identification l Every LAN has an identifier (VLAN ID), which is a 12 -bit length ID. Bridge/Switch l Plug-and-play – bridges or switches of VLANaware devices should support the “plug-andplay” feature. That is, when the device has not joined the VLAN, it should act as usual in the traditional network. 2020/12/3 CSE, NCHU 8
Introduction to VLAN (2/2) Motivations 1. 2. 3. 4. Support the requirement of virtual organization Simplify the network management Increase the network resource utilization Enhance the network security 2020/12/3 CSE, NCHU 9
How VLANs work u When a switch receives data from a workstation, it tags the data with a VLAN identifier that indicates which VLAN the data originally came from u A packet can only travel from one broadcast domain to another if both domains have the same identifier u To set up VLANs, we need VLAN-aware switching devices that must comply with IEEE 802. 1 Q standards l Intelligent switches (operate at the MAC layer) or l Routers (operate at the network layer of the OSI reference model) 10
Disadvantage & Advantages l Disadvantage: l l VLANs require significant overhead Advantages: l l More Security Ease of administration Broadcast control Reduction in network traffic 11
VLAN Architecture 3 hierarchical layers in LAN architecture: 1. Configuration – MIBs 2. Distribution/Resolution – registration protocols, topology distribution protocols 3. Relay – Ingress rules, forwarding rules, and egress rules 2020/12/3 CSE, NCHU 12
Configuration (1/2) 5 types of initialized configuration through local or remote management mechanism or distribution protocols. 1. Port-based VLAN – easy setup with lack of flexibility. 2. MAC-based VLAN – convenient for mobility of device, but should list the MACs in advance. 3. IP-subnet-based VLAN – e. g. IP subnet 140. 114. 76, 140. 114. 77, 140. 114. 78 4. 5. Layer-3 -based VLAN – Rule-based VLAN – 2020/12/3 CSE, NCHU 13
Configuration (2/2) 1. 2. 3. Port-based VLAN – MAC-based VLAN – IP-subnet-based VLAN – 4. Layer-3 -based VLAN – based on layer-3 protocol, such as IP, IPX. 5. Rule-based VLAN – by examining the packet header fields, such as IP-subnet, Ethernet type, SNAP field, TCP with source port, … 2020/12/3 CSE, NCHU LAN = Local Area Network 14
VLAN Configuration Comparisons Port-based Mac-based Layer-3 - based Rule-based Intelligent Hub Switch Deployment easy difficult middle Flexibility no no average high Improve group bandwidth utilization n y y multicast bad bad good M-VLAN per port n n y y y Security high mid 2 low choices Can a member across switches? n y y 2020/12/3 CSE, NCHU 15
VLAN Types
Static VLANs l Definition l l Static VLANs are when ports on a switch are administratively assigned to a VLAN Benefits l l Secure & easy to configure and monitor Works well in networks where moves are controlled Source: Cisco IOS Switching Services Configuration Guide 17
Dynamic VLANs l Definition l l Switch ports can automatically determine a user’s VLAN assignment based on: l MAC address l Protocol type Benefits l l Less administration when users are added or moved Centralized notification of unauthorized user Source: Cisco IOS Switching Services Configuration 18 Guide
Distribution / Resolution Every VLAN member should be able to transmit messages to all VLAN bridges/switches, and each bridge/switch should be able to recognize VLAN frames. l Declaration protocols – forwarding association between stations and VLAN l Request/response protocols – for requesting some special VLAN association. 2020/12/3 CSE, NCHU 19
Relay is used to deal with frame transformation in the VLAN. 1. Confirm the relationship between frame received and VLAN through ingress rules. 2. Determine transmission port through forwarding rules. 3. Translation of frame format and deal with tags through egress rules. 2020/12/3 CSE, NCHU 20
Broadcast domains 1) Without VLANs 10. 1. 0. 0/16 10. 2. 0. 0/16 10. 3. 0. 0/16 l l 1) Without VLANs, each group is on a different IP network and on a different switch. 2) Using VLANs. Switch is configured with the ports on the appropriate VLAN. Still, each group on a different IP network; however, They are all on the same switch. One link per VLAN or a single VLAN Trunk 10. 1. 0. 0/16 2) With VLANs 10. 2. 0. 0/16 10. 3. 0. 0/16
. Two Types of VLAN Configuration l l l Each switch port can be assigned to a different VLAN. Ports assigned to the same VLAN share broadcasts. Ports that do not belong to that VLAN do not share these broadcasts.
. Static VLAN operations u u Static membership VLANs are called port-based and port-centric membership VLANs. As a device enters the network, it automatically assumes the VLAN membership of the port to which it is attached. “The default VLAN for every port in the switch is the management VLAN. The management VLAN is always VLAN 1 and may not be deleted. ” All other ports on the switch may be reassigned to alternate VLANs.
. VLAN Operations Notes Important notes on VLANs: 1. VLANs are assigned on the switch port. There is no “VLAN” assignment done on the host (usually). 2. In order for a host to be a part of that VLAN, it must be assigned an IP address that belongs to the proper subnet. Remember: VLAN = Subnet 3. Assigning a host to the correct VLAN is a 2 -step process: 1. Connect the host to the correct port on the switch. 2. Assign to the host the correct IP address depending on the VLAN memebership
. Dynamic VLAN Operations l l Dynamic membership VLANs are created through network management software. (Not as common as static VLANs) Cisco. Works 2000 or Cisco. Works for Switched Internetworks is used to create Dynamic VLANs allow for membership based on the MAC address of the device connected to the switch port. As a device enters the network, it queries a database within the switch for a VLAN membership.
Frame Processing u Switches make filtering and forwarding decisions based on data in the frame u There are two techniques used l Frame Filtering - examines particular information about each frame (MAC address or Layer 3 protocol type) l Frame Tagging - places a unique identifier in the header of each frame as it is forwarded throughout the network backbone 26
. VLAN Tagging l l l VLAN Tagging is used when a link needs to carry traffic for more than one VLAN. l Trunk link: As packets are received by the switch from any attached end-station device, a unique packet identifier is added within each header. This header information designates the VLAN membership of each packet. The packet is then forwarded to the appropriate switches or routers based on the VLAN identifier and MAC address. Upon reaching the destination node (Switch) the VLAN ID is removed from the packet by the adjacent switch and forwarded to the attached device. Packet tagging provides a mechanism for controlling the flow of broadcasts and applications while not interfering with the network and applications.
. VLAN Tagging No VLAN Tagging l VLAN Tagging is used when a single link needs to carry traffic for more than one VLAN.
Frame Tagging (1/2) 1. Implicit tagging – frame itself has no tag. We may apply the content in the frame, such as MAC address and network layer protocol, to determine which VLAN it belongs. 2. Explicit tagging – frame itself has a tag associated with. Bridge/switch receiving such frame will check the mapping and embed a VLAN ID into the frame. 2020/12/3 CSE, NCHU 29
Frame Tagging (2/2) l l l A preferred way to implement VLANs Uniquely assigns a VLAN ID to each frame before it is forwarded across the backbone Is removed by the switch after frame exits the backbone Source: Cisco IOS Switching Services Configuration Guide 30
Traffic Between VLANs l l Switches do not forward frames between different VLANs. A router does this!!! Trunking – a method that supports multiple VLANs that have members on more than one switch q. Two popular trunking protocols: o. Cisco Inter-Switch Link (ISL) o. IEEE 802. 1 Q Source: How stuff works 31
Inter-Switched Link (ISL) u u u Cisco created ISL before the IEEE standardized a trunking protocol ISL is Cisco proprietary; it can only be used between two Cisco switches ISL encapsulates each frame in an ISL header & trailer 32
IEEE 802. 1 Q u u u 802. 1 Q is an open standard that can be used with multivendor switches 802. 1 Q does not encapsulate – it adds an extra 4 -bytes header to the middle of the original Ethernet header 802. 1 Q forces a recalculation of FCS 33
Embedding Tag Header into Ethernet 16 bits 3 bits 1 bit 12 bits TPID PCP CFI VID l tag protocol identifier (TPID) – 2 B, 8100 H l tag control information (TCI) – 2 B, 3 -bit of priority code point (PCI), 1 -bit of canonical format indicator (CFI), and 12 -bit of VLAN identifier (VID). 2020/12/3 CSE, NCHU 34
- Slides: 34