virtual LAN (VLAN)

A group of ports on an Ethernet switch that behaves like a separate
network segment.

Overview

The simplest form of a large Ethernet network is one built using only
hubs arranged in a cascaded star topology.  For example, in a building
there might be one workgroup hub for each work area connected to a
root hub in the wiring closet. Such a network has two drawbacks:

? The entire network is one collision domain, which causes the network
to scale poorly as the number of hosts increases. Once a certain
number of hosts are present on the network, collisions start to occur
frequently and network bandwidth is wasted.

? The entire network is also one broadcast domain, which increases the
probability of broadcast storms occurring and bringing down the
network.

The first problem, that of collisions, is usually dealt with by
replacing the main or root hub with an Ethernet switch, specifically a
Layer 2 switch. This has the effect of partitioning the network into
multiple smaller collision domains, which in this example means that
each work area will be a separate collision domain. This reduces the
overall effect of collisions on the network and isolates problems
arising from too many collisions occurring in one area from other
parts of the network.  Unfortunately, this simple solution does not
solve the second problem, that of broadcasts. In a cascaded star
topology where workgroup hubs are connected to a Layer 2 switch, the
entire network is still one large broadcast domain, which increases
the risk of broadcast storms. Furthermore, if network services are
running that advertise themselves using broadcasts, then a significant
amount of overall bandwidth might be consumed by these broadcasts,
reducing the amount of available bandwidth for other forms of network
communications.

The traditional solution to this problem has been to use routers to
partition the network into multiple smaller broadcast domains, insofar
as routers generally do not forward broadcasts between their
interfaces. This works well, but as the network increases in size, the
number of network devices (hubs, routers, and switches) increases
also, which leads to greater infrastructure costs.  Another problem
with this traditional style of network is that when a user moves to a
different work area and takes his or her computer along to the new
area, then some recabling is usually necessary. For example, when the
user connects the computer to the local area network (LAN) drop in the
new work area, the administrator usually has to go to the wiring room
and switch the ends of the old and new LAN drop plugs to make sure the
user is connected to the right hub or switch. Because cabling is
typically somewhat disorganized in wiring rooms, this task can be a
nightmare and is prone to error.

Virtual LAN (VLAN) technologies were developed to solve all these
problems. VLANs allow networks to be segmented logically without
having to be physically rewired. Instead of having all ports on a
switch be equal and belong to the same network, ports can be
segregated into groups, each belonging to a separate logical
network. For example, on a 3-port switch you could configure ports 1
and 2 as belonging to network 10 and port 3 as belonging to network 20
(see the illustration on the following page). Physically, all three
ports seem to be on the same network, but in reality they are
not—broadcasts sent to port 1 can only reach port 2 and not port
3. Administrators can easily make these port assignments indicating
which VLANs are mapped to which ports by accessing the software for
the switch.  Note that VLAN ports do not have to be contiguous—for
example, ports 1 and 3 could be on the same VLAN and port 2 on a
different VLAN.

The benefits of using VLAN-enabled switches include 

? The ability to segment networks into multiple smaller broadcast
domains without needing additional network devices such as routers to
do this.  VLANs make switched Ethernet networks more
bandwidth-efficient through this segmentation of broadcast domains.

? The ability to reconfigure ports logically without needing to unplug
wires and move them around. If a user takes his or her computer to a
new work area, no cables need to be swapped on the switch—just
access the switch software and issue commands to change the VLAN
assignments for the old and new ports. VLANs thus simplify the process
of adding, moving, and deleting users on the network. They also
improve network security by avoiding cabling mishaps that can arise
when users are moved in traditional Ethernet networks.

? The ability to group users together according to function rather
than physical location. In a traditional Ethernet network, all users
in a given work area are on the same network segment regardless of
their job description or department. Using VLANs, however, you could
have one salesperson in each work area of the building sitting next to
engineers in their work area, yet on a separate logical network
segment.


Implementation
VLANs have the following characteristics:

? One switch may have several VLANs defined on it.  A VLAN is
identified using a special identification number called a VLAN
ID. Stations attached to switch ports having the same VLAN ID act and
function as though they are all on the same physical network
segment. In other words, broadcasts sent by one host are received only
by hosts connected to ports having the same VLAN ID as the sending
host. Administrators typically assign VLAN IDs manually at the port
level, although port assignments can also be managed dynamically for
some switches (the switch does this by maintaining an internal table
mapping the media access control [MAC] addresses of connected stations
to their VLAN ID). When a host is moved to another department, the
only change needed is the assignment of a different VLAN ID to the
port to which the host is connected—no switching of patch cables is
required.

? A single VLAN can span multiple switches connected together. By
using a method called trunking, VLAN-enabled switches can be connected
to form large VLANs spanning switches right across the enterprise. To
do this, a port on the switch must be designated a trunk port, and
trunk ports on different switches are connected using trunk lines. For
example, when Fast Ethernet ports are used as trunk ports, trunking
can be accomplished by connecting such ports on different switches
using enhanced Category 5 (Cat5e) crossover cables.

Switch vendors have traditionally developed their own proprietary VLAN
technologies, so implementing a VLAN typically means buying all your
switching gear from a single vendor. Cisco Systems is the market
leader in VLAN-enabled switches, and many of their Catalyst line of
switches support VLANs. Cisco Catalyst switches employ several types
of technologies in order to implement enterprise VLANs, namely:

? Frame tagging: When an Ethernet frame enters a port on a
VLAN-enabled switch, the switch encapsulates the frame by adding a
special header or tag that contains the VLAN ID of the port at which
the frame arrived. The switch uses the frame tag to determine which
ports it can be forwarded to (ports having the same VLAN ID). The tag
is then stripped off at the destination ports on the switch, or in the
case of traffic moving across multiple switches using trunked
connections, it is stripped off when it reaches the destination ports
on other connected switches.

? Inter-switch link (ISL): This is a proprietary Cisco technology that
enables a single port to belong to multiple VLANs—that is, to have
multiple VLAN IDs assigned to it. ISL is used for trunking and is also
available on special network interface cards (NICs) for servers. When
a server has an ISLsupporting NIC installed, it behaves as if it had
multiple physical NICs, one for each VLAN. This enables workstations
on different VLANs to access the same server, eliminating the need to
have separate servers for each VLAN.

? VLAN Trunking Protocol (VTP): This is a proprietary Cisco technology
that simplifies the task of configuring VLANs across a network. By
making any necessary configuration changes to settings on a VTP
server, these changes are then propagated across the network to all
VLAN-enabled switches that are defined as belonging to the same VTP
management domain.

Issues 
Three main issues have slowed the acceptance of VLANs in the
enterprise: standards, Dynamic Host Configuration Protocol (DHCP), and
Layer 3 switches.  The problem of standards arises from the
proprietary nature of VLAN implementations from different switch
vendors. This has resulted in interoperability issues where equipment
from one vendor fails to work with that from another vendor. There has
been some progress toward standardizing VLAN technologies, however.
One important step was the development of the 802.1Q standard from the
Institute of Electrical and Electronics Engineers (IEEE), which
replaces Cisco’s proprietary ISL technology with a standards-based
solution.  Another development has been the adoption of RFC 2878 by
the Internet Engineering Task Force (IETF), which standardizes VLAN
frame tagging using the new VLAN Tagged Frame format. RFC 2878 also
provides guidelines for switch vendors to improve interoperability
with regard to signaling, link aggregation, and Layer 2 traffic
prioritization.

The second issue is that of address management of stations on the
network. VLANs were originally designed to simplify the management of
hosts on the network by using their Layer 2 MAC addresses to identify
them to switches. When a computer is unplugged from a LAN drop and
moved to a different physical location and plugged in to a different
drop, VLAN switches can automatically detect the computer’s new
location by its MAC address and reconfigure themselves dynamically.
The problem is that DHCP was designed for the very same job of dynamic
address management but uses Layer 3 (IP) addresses instead. Being a
much simpler system, most network managers have chosen DHCP instead of
VLANs to ensure that computers can be physically moved around the
network if needed. As a result, most VLAN administration is performed
manually by assigning VLAN IDs to ports using a commandline interface,
a difficult chore in a large enterprise.  The third issue that has
slowed the adoption of VLANs has been the emergence of Layer 3
switches, which can perform both bridging (Layer 2) and routing (Layer
3) functions in one box. Layer 3 switches have almost eliminated the
need for VLANs in most enterprises.  Instead of creating multiple
VLANs to segment the network into smaller broadcast domains, the same
thing can be accomplished by replacing the root Layer 2 switch with a
Layer 3 switch. Each port on the Layer 3 switch represents a separate
routed subnet, and the network is thus automatically partitioned into
separate broadcast domains.

Prospects
Because of the above issues, the future of VLANs is cloudy. Most
enterprise network architects see little point in deploying VLANs when
Layer 3 switches can accomplish the same result with less effort. And
DHCP manages addresses at Layer 3 more easily than VLANs do it at
Layer 2, making it simple to move users around the
network. Nevertheless, there has been something of a resurgence of
interest in VLANs recently, mainly in the service provider market
where companies such as Yipes Communications that offer metropolitan
Ethernet use VLAN-enabled switches from Extreme Networks to provision
metropolitan area VLANs for their customers.  Another growing use of
VLANs is in the Web hosting arena, where these companies are using
VLANs to help isolate traffic between different subscribers.

See Also: 802.1Q, broadcast domain, collision domain, Dynamic Host
Configuration Protocol (DHCP), Ethernet switch, hub, Institute of
Electrical and Electronics Engineers (IEEE), Internet Engineering Task
Force (IETF), IP address, Layer 2 switch, Layer 3 switch, MAC address,
router