Vlans Come in A Variety of Shapes and Sizes

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 8

Shiratsuchi, Kenth F.

ECET515LA

ECE51 Engr. Warren Bejasa

Laboratory Exercise 6 Building a Small Wired and Wireless Network using ISR

Introduction

A VLAN (virtual local area network) is a subnetwork that can connect devices on different

physical local area networks (LANs). A local area network (LAN) is a collection of computers

and devices that share a communications line or wireless link with a server located within the

same geographic area. Without having to lay additional cables or make large changes to their

current network architecture, network administrators may easily partition a single switched

network to fulfill the functional and security requirements of their systems using VLANs. Larger

enterprises frequently use VLANs to re-partition devices for better traffic management.

VLANs are also essential because they can improve a network's overall performance by

grouping together devices that communicate the most. VLANs also improve network security by

allowing for more control over which devices have access to each other on larger networks.

VLANs are more flexible than physical connections because they are based on logical

connections. Multiple, independent VLANs can be supported by one or more network switches,

resulting in Layer 2 (data link) subnet implementations. A broadcast domain is linked to a

VLAN. Typically, it consists of one or more network switches.

Discussion

VLANs come in a variety of shapes and sizes.

Protocol-based, static, and dynamic VLANs are examples of VLAN types.


A Protocol VLAN is one in which traffic is routed according to a certain protocol. Depending on the

protocol, a switch will segregate or forward traffic.

A network administrator must assign the ports on a network switch to a virtual network in static VLAN,

also known as port-based VLAN; however, in dynamic VLAN, a network administrator must assign the

ports on a network switch to a virtual network; and in dynamic VLAN, a network administrator must

assign the ports on a network switch to a virtual network;

A network administrator can determine network membership based on device characteristics rather

than switch port location with dynamic VLAN.

Switch ports (interfaces) can be allocated to one or more VLANs, allowing systems to be separated into

logical groups based on which department they belong to and establishing rules for how systems in the

different groups can communicate with one another. These groups can range from the simple and

practical (computers in one VLAN can see the printer on that VLAN, but computers outside that VLAN

cannot) to the sophisticated and legal (computers in one VLAN can see the printer on that VLAN, but

computers beyond that VLAN cannot) (for example, computers in the retail banking departments cannot

interact with computers in the trading departments).

All hosts connected to switch ports configured with the same VLAN ID have data link access to each

VLAN. The VLAN tag is a 12-bit field in the Ethernet header that allows a switching domain to have up to

4,096 VLANs. IEEE (Institute of Electrical and Electronics Engineers) 802.1Q defines VLAN tagging, which

is also known as Dot1Q.

When an untagged frame is received from an associated host, the 802.1Q format is used to append the

VLAN ID tag set on that interface to the data link frame header. After that, the 802.1Q frame is

forwarded to the destination. The tag is used by each switch to keep each VLAN's traffic separate from

that of other VLANs, only forwarding it where the VLAN is specified. Multiple VLANs are handled through
trunk links between switches, which use the tag to keep them apart. Before the frame is sent to the

destination device, the VLAN tag is removed when it reaches the destination switch port.

A trunk setup, in which each frame sent across the port is tagged with the VLAN ID, can be used to setup

many VLANs on a single port, as mentioned above. To send and receive tagged frames, the neighboring

device's interface, which could be on another switch or on a host that supports 802.1Q tagging, must

enable trunk mode configuration. Any Ethernet frames that are not tagged are assigned to a default

VLAN that can be specified in the switch configuration.

A VLAN-enabled switch adds the VLAN tag allocated to the ingress interface to an untagged Ethernet

frame received from an associated host. The frame is forwarded to the host's port with the MAC address

of the destination (media access control address). BUM traffic (broadcast, unknown unicast, and

multicast) is transmitted to all VLAN ports. When an unknown host responds to an unknown unicast

frame, the switches learn its position and do not flood subsequent frames targeted to that host. Two

mechanisms keep the switch-forwarding tables up to date. To begin, outdated forwarding entries are

periodically removed from forwarding tables, usually using a programmable timeout.

Second, every topology change reduces the forwarding table refresh timer, causing a refresh to occur.

To build a loop-free topology among the switches in each Layer 2 domain, the Spanning Tree Protocol

(STP) is employed. If the topology is the same across several VLANs, a per-VLAN STP instance can be

used to enable different Layer 2 topologies, or a multi-instance STP (MISTP) can be used to reduce STP

overhead. STP creates a spanning tree from a selected root switch by blocking forwarding on links that

may cause forwarding loops. This means that some links will not be used for forwarding until another

section of the network fails, causing STP to make the link active again

A switch domain with four switches and two VLANs is depicted in the diagram above. A ring topology is

used to connect the switches. STP causes one port to become blocked, resulting in the formation of a
tree topology (i.e., no forwarding loops). The red bar across the link indicates that the port on switch D

to switch C is blocked. Trunking VLAN 10 (orange) and VLAN 20 (green) lines connect the switches to the

router (green). The hosts in VLAN 10 are able to communicate with server O. Server G can communicate

with hosts connected to VLAN 20. On each VLAN, the router has an IPv4 subnet configured to allow

connectivity for communications between the two VLANs.

Advantages to VLAN include reduced broadcast traffic, security, ease of administration and

broadcast domain confinement.


However, a disadvantage of VLANs includes the limitation of 4,096 VLANs per switching domain creates

problems for large hosting providers, which often need to allocate tens or hundreds of VLANs for each

customer. To address this limitation, other protocols, like VXLAN(Virtual Extensible

LAN), NVGRE (Network Virtualization using Generic Routing Encapsulation) and Geneve, support larger

tags and the ability to tunnel Layer 2 frames within Layer 3 (network) packets.

Finally, data communications between VLANs is performed by routers. Modern switches often

incorporate routing functionality and are called Layer 3 switches.

Reflection

A virtual LAN (VLAN) is a method of establishing several virtual switches within a single

physical switch. As a result, ports set for VLAN 10 behave as if they're all connected to the same

switch. VLAN 20 ports cannot communicate directly with VLAN 10 ports. They need to be

routed between the two of them (or have a link that bridges the two VLANs).

VLANs are virtual local area networks (VLANs) that are built within a physical network. Their

major function is to provide isolation, which is frequently used to reduce the size of a network's

broadcast domain, but they can also be used for a variety of other purposes. They are a tool that

every network engineer should be familiar with, yet they, like any tool, can be misused and/or

employed at inopportune moments. Because no single tool is appropriate for all networks and

scenarios, the more tools you have, the more environments you can work in. Knowing more

about VLANs will enable you to use them when you need them and do it correctly.

I presently work in an environment where SCADA (supervisory control and data acquisition)

devices are commonly employed as an example of how they might be employed. SCADA

devices are often simplistic and have a lengthy history of shoddy software development, which
frequently exposes severe security flaws. We've put the SCADA devices on their own VLAN,

with no L3 gateway. The only way into their logical network is through the server they connect

with (which has two interfaces, one of which is in the SCADA VLAN), which may be secured

using host-based security, which is not possible on the SCADA devices. The SCADA devices

are separated from the rest of the network by a firewall.

In terms of design concepts, the most frequent application is to align your VLANs with your

organizational structure, for example, engineering personnel in one VLAN, marketing personnel

in another, IP phones in yet another, and so on. VLANs can also be used to "transport" various

network functions across one (or more) cores in other systems. Layer 3 termination of VLANs

('SVI' in Cisco lingo, 'VE' in Brocade lingo, etc.) is also achievable on some devices, obviating

the requirement for a separate piece of hardware when inter-VLAN communication is required.

At scale, VLANs become difficult to administer and maintain, as you've undoubtedly already

seen on NESE. In the service provider world, there's PB (Provider Bridging - also known as

"QinQ," double tagging, stacked tags, and so on), PBB (Provider Backbone Bridging - "MAC-in-

MAC"), and PBB-TE, all of which were created to address the issue of the limited number of

VLAN IDs. PBB-TE aspires to do away with dynamic learning, flooding, and spanning tree. The

4,094 limitation originates from the fact that there are only 12 bits available for use as a VLAN

ID in a C-TAG/S-TAG (0x000 and 0xFFF are reserved).

VPLS or PBB can be used to eliminate the traditional scaling ceilings involved with PB.

The fundamental use case for VLANs is nearly identical to the fundamental use case for

segmenting a network into numerous data link broadcast domains. The fundamental distinction is

that in a physical LAN, each broadcast domain requires at least one device (usually a switch),
whereas in a virtual LAN, broadcast domain membership is determined port-by-port and can be

changed without adding or replacing hardware.

VLANs should be designed in the same way as PLANs for simple applications. To do so, you

must understand the following three concepts:

Trunking - A trunk link is any connection that transmits frames from multiple VLANs. Trunk

links are typically configured on switch-to-switch and switch-to-router links.

When sending to a trunk connection, the device must tag each frame with the numeric VLAN ID

to which it belongs so that the receiving device can confine it to the relevant broadcast domain.

Host-facing ports are often untagged, although switch- and router-facing ports are. The data link

encapsulation includes a tag as well.

For simple applications, VLANs should be constructed similarly to PLANs. To accomplish so,

you'll need to grasp the following three ideas:

Trunking - Any connection that transports frames from numerous VLANs is referred to as a

trunk link. Switch-to-switch and switch-to-router links are the most common types of trunk

connectivity.

When sending to a trunk connection, the device must assign a numeric VLAN ID to each frame

so that the receiving device can confine it to the appropriate broadcast domain. Switch and

router-facing ports are frequently untagged, although host-facing ports are frequently tagged. A

tag is also included in the data link encapsulation.


References

 https://networkengineering.stackexchange.com/questions/732/introductory-level-explanation-

of-vlans

 https://searchnetworking.techtarget.com/definition/virtual-LAN

You might also like