|
|
|
|
|
|
|
VLAN technologies are feature rich but how well do the bells and whistle fit into today’s networking environments. Stuart Mark reports. Throughout the nineties, Virtual LANs or VLANs were touted as the next big thing. For once the marketing men were correct and VLAN technology is becoming as ubiquitous as ethernet itself. All but the smallest, cheapest hubs have been replaced by LAN switches and routers have given way to Layer three (and some would have you believe, layer four) switches. But has the advent of the VLAN brought all the benefits that were originally promised and does its use present any issues? What is a VLAN A VLAN is a group of entities, PCs, servers, printers, etc., that are connected to a network in such a way that they can be grouped into autonomous broadcast domains regardless of physical location. This is achieved by using VLAN capable switches in place of traditional hubs which allow, at their simplest level, ports to be grouped into different LANs. For example, an ethernet switch with ten ports could have ports one to five assigned to VLAN A and ports six to ten assigned to VLAN B. This would mean that a PC connected to port three could only see traffic on VLAN A. All VLAN B traffic, including broadcasts, would be confined to ports six to ten, hence the broadcast domain. This can be expanded to more than one switch so that a VLAN could consist of a port group on switch one and a port group on switch two. In a VLAN domain, i.e. a group of switches that contain a number of VLANs, the switches are typically connected together using trunks. All VLAN traffic must be carried across these trunks in such a manner that the switches can correctly distinguish between packets belonging to disparate VLANs. Historically there are three methods by which vendors have carried VLAN traffic. Time Division Multiplexing reserves a fixed block of bandwidth on the trunk for each VLAN it carries, much like TDM on WANs. Signalling employs a method whereby switches maintain tables of locally attached stations belonging to each VLAN and regularly update each other in a way similar to the operation of IP routing. Tagging requires that a 'tag' be inserted into every frame in the VLAN domain that identifies it as a member of a particular VLAN. Of the three, the tagging method of VLAN notification has become the most widely accepted. Cisco's VLAN Trunking Protocol (VTP) using Inter-Switch Links (ISL) employs a form of tagging and Cisco tried to have this included as part of the IEEE 802.10 VLAN security standard but without success. Instead, a standardised form of VLAN tagging has emerged, IEEE802.1q. The standard has done much to eradicate many of the proprietary VLAN interoperability issues of the past. Broadly speaking, any VLAN switch supporting IEEE802.1q should be compatible although only the bravest network managers would put this to the test on a large scale. Remember also that many vendors offer both 802.1q and a proprietary trunking solution. VLAN Definition So, having the ability to divide a network into VLANs sounds great but this freedom brings with it two important points of consideration. What is your VLAN strategy and how will your VLANs be defined? If you run a small or medium enterprise network, you may want to divide VLANs by business department or service type e.g. all Peoplesoft users and servers in the same VLAN. If your enterprise is large, the resource required to track changes and alter VLANs accordingly may be outweighed by a requirement to define sensibly sized broadcast domains and impose some control on multicast traffic using IGMP snooping. The methods available for VLAN definition will also affect these decisions. VLANs can be defined in a number of ways, the simplest being to statically assign specific ports into VLANs. Most vendors also offer the ability to dynamically define VLANs. For example, certain mac addresses may be automatically placed in a common VLAN. This is known as Layer 2 definition. Layer 3 definition allows entities to be placed in VLANs dependant on their network protocols or addresses. Therefore Novell IPX users could be automatically grouped, PCs might be placed in a common VLAN decided by their IP address or the Type of Service field may by used to put more important users or applications in separate VLANs. Multicast membership can also be tied to VLANs by defining on the destination multicast addresses used. Layer 4 definition is a relatively new approach, aimed mainly at IP services which will allow VLAN grouping to be made on specific applications by using the port fields of UDP and TCP frames. It is intended to allow a more service oriented method of organising network entities. Bridging and Routing Switches are an evolution of the LAN Bridge and, as such, the switch architecture retains an aversion to network loops. This means that spanning tree, the protocol used to remove loops in bridged networks still has an important role to play. Whenever switches are connected in such a way that a loop is created, spanning tree must be used to remove it while providing a redundant path in the event of hardware failure. There are two approaches to this. Some vendors provide a single spanning tree (SST) regardless of how many VLANs are configured while others allow multiple spanning trees (MST), one for each VLAN. If a problem occurs with a switch configured as one VLAN, the SST approach may result in service disruption to other VLANs on other switches during any resulting topology change. Consequently, the MST configuration seems to be gaining wider industry acceptance and is the subject of an IEEE standards project, 802.1s. For both SST and MST, most vendors have recognised the delay that can be introduced if the spanning tree topology must change due to a fault and have tried to improve on the protocol. A common approach to this has been to reduce the time it takes a port to change from blocking to forwarding state. Service disruption in a switched network is now down to approximately two seconds. Again, the IEEE 802.1w proposed standard is looking into this. It’s also worth remembering that VLANs work in the same way as traditional LANs in that they are distinct networks that require some sort of routing device to join them. Switches have had router cards that, when installed in a switch, provided routing between all the VLANs configured in that domain but the latest offerings now have routing functionality built in. The switch-router hybrid is generally referred to as a layer 3 switch. It is actually an extremely fast (wire speed ) router designed for a switching environment. This speed is achieved by use of dedicated ASICs (Application Specific Integrated Circuits) or by recognising a conversation between two stations, routing the first packet and then using a switching cache to switch all further packets so removing the latency of the router. This is further evolving into layer 4 switching where the router can recognise application conversations and pass this information to the switching logic to make much faster forwarding decisions. VLAN Shortcomings There can be no doubt that VLANs have improved network design considerably but their flexible nature can cause some problems that are only now being fully addressed. As already mentioned, planning a VLAN infrastructure is crucial but not just from a strategic viewpoint. The size of VLANs must be planned and controlled. Cisco recommend VLANs to be no larger than a Class C IP network, 254 nodes. This is fine until the VLAN gets larger either through too many static ports being defined or through bad implementation of dynamic VLAN conditions. When a VLAN spans multiple ports on multiple switches, it is very easy to lose track without some form of management software. Also, the dynamic VLANs based on IP address approach described previously is all very well when stations have static IP addresses but what happens when DHCP is used on a network. If a PC can’t be assigned to a VLAN on bootup because it doesn’t have an IP address, how can it possibly get an IP address from the DHCP server across the network? Given that DHCP assigns addresses based on the network location of a station by using the ‘gwaddr’ field in the DHCP address, DHCP and dynamic IP VLANs do not work well together. You should choose one or the other. A final thought should be given to management. Switches generally provide full LAN bandwidth to each port rather than all ports sharing available bandwidth. So, for a 10Mb/s ethernet switch, each port acts like a standalone ethernet segment, giving full 10Mb/s (or 20Mb/s if full duplex is used) to the entity attached to it. This makes it difficult to manage so many LAN segments. Port mirroring applications help for connecting network analysers but historical data is still limited to mini-RMON. The advent of SMON, Switch MONitoring should improve this.
www.cisco.com www.lucent.com www.hp.com grouper.ieee.org/groups/802/1/
|
This site was last updated 04/25/07
