Guest Author - Cathy Spearmon
Virtual LANs, also known as VLANs, have become an integral feature of many switched LAN solutions as an alternative to routers.
What is a Virtual LAN (VLAN)?
In traditional LANs, workstations are connected to each other by means of a hub or a repeater. These devices are primarily used to transmit incoming data throughout the network. In most cases, if two individuals were to send data simultaneously, a collision would occur and all the data transmitted would be lost. This collision would continue to propagate throughout the network by the hubs and repeaters, making it necessary for the original data to be sent again. In order to prevent collisions, routers or bridges would be necessary.
LAN segments are formed with workstations, hubs and repeaters. These are commonly known as collision domains because collisions remain within that segment. A broadcast domain or LAN is the area in which broadcasts and multicasts are confined. Therefore, one or more LAN segments can be incorporated in a single LAN. The physical connection between the hubs, workstations, switches, and routers determines broadcast and collision domains, meaning that everyone participating in the LAN must to in the same location. A virtual LAN, a subnetwork defined by software, not by physical wiring, makes it possible for networks to closely support the needs of workgroups and provide easier administration, giving way to the constraints of physically connected networks. Just as individuals belong to multiple workgroups, individual workstations and servers can participate in multiple VLANs. Broadcast domain can be defined without the use of router, but are used if there is a need to communicate between two VLANs. Bridging software is used in order to define which workstations are to be included in the broadcast domain.
Benefits of VLANs
Though there are quite a few benefits to virtual LANS, the primary benefits of VLANs are simplified LAN administration and improved security.
Administrative costs are low because VLANs reduce the hardship of LAN relocation and modification. These relocations and modifications can be made automatically or from the Network Administrator’s workstation without the need to physically modify the end-user’s workstation. Simply simply dragging and dropping workstations from one VLAN to another can make move and modifications made in a matter of seconds. This cuts costs dramatically.
With shared-media networks, broadcasts have a tendency to create security and performance issues because the activity between workstations on the network can be seen. On virtual LANs, all communications are contained and directed exclusively to their specific destinations. This is convenient for groups working on specific and confidential projects because it is assured that traffic cannot be seen outside the workgroup.
How A Virtual LAN works?
Whenever a LAN bridge receives data from a workstation, it tags the data with a VLAN identifier that indicates which VLAN the data originated. This process is called explicit tagging. Implicit tagging is used to determine which VLAN received the data. Though the data in implicit tagging is not tagged, but the VLAN from which the data came can be determined by the information about the port on which the data arrived. Data can be tagged based on several things, such the port in which it arrived, the Media Access Control (MAC) address, the network address of the source, or a combination of fields. Because VLANs are classified according to their methods, bridges would have to be used in order to use tagging. Bridges would maintain a database, called a filtering database, which would contain the same information that all bridges on the LAN would have in their databases.
Filtering databases consists of the following entries: static entries and dynamic entries.
Static entry information is added, modified and deleted by the Network Administrator only. These entries are not automatically removed, but must be removed explicitly. There are two types of static entries: static filtering entries and static registration entries. Static filtering entries specify whether or not frames are to be sent, forwarded or discarded or whether or not they should follow the dynamic entry for every port. Static registration entries determine whether or not frames sent to a specific VLAN should be tagged or untagged and which ports are registered for that VLAN.
Dynamic entries information are learned by the bridge and cannot be created or update by the Network Administrator. The learning process examines the port from which a frame, along with source address and VLAN identifier is received, and updates the filtering database accordingly. The entry is updated only if all the following three conditions are met:
1. The port allows learning
2. The source address is a workstation address and not a group address, and
3. There is space available in the database.
Since bridges would determine the destination of the data and whether or not a VLAN identifier should be added to the data. If the data’s destination is going to a device that is within a VLAN, an identifier is added to the data and sent. However, if the data is destined to a device outside the VLAN, an identifier is not added and the data is sent.
Types of Virtual LANs
In order to understand exactly how a virtual LAN works, you need to know the different types of VLANs.
• Layer 1 VLAN: Membership by Port
The ports that belong to the VLAN determine the membership in the VLAN. However, the main disadvantage to this method is that it does not allow for user mobility. If a user relocates away from the bridge, the VLAN must be reconfigured.
• Layer 2 VLAN: Membership by MAC Address
The MAC address of the workstation determined the membership in the VLAN. The switch tracks the MAC addresses in each VLAN. Because the MAC address is essentially a part of each machines network interface card, if a workstation is relocated, no reconfiguration needs to be done.
The main disadvantage to using this method is that VLAN membership must be assigned initially. If the network contains hundreds of users, this might be quite difficult. Also, if you have users with laptops, the docking station’s MAC address is associated instead of the actually laptop.
• Layer 2: Membership by Protocol Type
In this type of virtual LAN, membership is based on the protocol field found in the Layer 2 header.
• Layer 3: Membership by IP Subnet Address
Within this virtual LAN, membership is determined on the Layer 3 header, the network IP subnet address. This has nothing to do with the network routing, but the IP addresses are used to determine membership in the VLAN. Workstations can be moved without reconfiguration. The main problem with this method is that it occasionally takes a bit longer to forward packets using the Layer 3 information.