LAN vs VLAN
Ethernet LANs are broadcast domains where information transmitted by any network device in the domain is received by all devices attached to the LAN via the shared transmission medium. In a LAN with many devices, if only hubs are used in the network, a single large broadcast domain is created and the frequent broadcast messages can easily consumes all the bandwidth. Broadcasts are stopped only at the router, which is the edge of the broadcast domain, before traffic is sent across the WAN.
If we replace the hubs with switches, we can create VLANs within the existing large physical broadcast domain, in order to segment and isolate network traffic, reduce unnecessary broadcast traffic.
A virtual LAN, or VLAN, is a group of computers, network printers, network servers, and other network devices that behave as if they were connected to a single network. Hosts belong to a VLAN share the same VLAN ID, and hosts with the same VLAN ID behave as if they are on the same physical network. In its basic form, a VLAN is a broadcast domain. The difference between a physical broadcast domain and virtual broadcast domain defined by a VLAN is that a broadcast domain is seen as a distinct physical entity with a router on its boundary. VLANs are similar to broadcast domains because their boundaries are also defined by a router. However, a VLAN is a logical topology, which is independent of the physical topology -- it can contains a group of devices on either the same or different physical LAN segments, those ones physically wired with cables.
Another advantage of VLAN is that users can be grouped according to their logical communication requirement instead of physical location. Your sales team might spread across different floors, different building, or even different cities, as long as their computers belong to the same VLAN, they can communicate to each other as if they are in the same physical LAN segment.
VLAN membership
There are three types of VLANs depending on how they decide VLAN membership.
- Port-based VLAN: computers are assigned to a VLAN based on the switch port to which the computer is connected. When the same computer is connected to a different switch port, its VLAN membership might change if the other switch port are assigned to a different VLAN.
- MAC-based VLAN: a computer is assigned to a VLAN according to its MAC address. The advantage of MAC-based VLAN is PCs can move around all the time and still belongs to the same VLAN without extra configuration. However, since PC's MAC address is tied to a particular VLAN, changing its VLAN membership is harder comparing to port-based VLAN. Network administrator needs to configure it at switch side or the switch side has special feature to support multiple VLAN membership.
- IP-based VLAN: a computer is assigned to a VLAN based on network layer address, such as IP address. IP-based VLAN can keep the PC's IP address when they moves around. Note switches are layer 2 devices. Even though layer 3 IP address is used to differentiate VLAN members, the device is assigned to a layer 2 broadcast domain. The switch still forwards frames instead of packets. Due to additional switch processing, IP-based VLAN tend to have worst performance among the 3 types of VLANs.
VLAN to VLAN communication
When a host in one broadcast domain wants to communicate with another host in a different broadcast domain, the packets have to travel cross the domain border via a router. Since VLANs are basically broadcast domains, inter-VLAN communications also have to involve a router.
The routing function can either be provided by a router a layer 3 switch.
In the case of a router, the message delivery process is:
- a VLAN A PC1 connected to switch port 1 sends traffic to VLAN B PC2.
- The traffic leaving the host in VLAN A reaches the switch through the switch port 1.
- Switch saw the destination belongs to a different broadcast domain, so it pass the traffic to the router via switch port 2.
- router checks its routing table, passes the traffic back to the switch port 3.
- switch gives the traffic to the host PC2 in VLAN B via port 4.
A layer 3 switch is essentially a layer 2 switch that can also act as a router. If a switch is capable of being configured to route traffic between VLANs defined within the switch, the inter-VLAN traffic doesn't have to leave the switch for routing decision. Even though layer 3 switch need additional hardware and software feature to support routing, it saves a physical router device as well as reduce unnecessary routing traffic, therefore they are very popular in corporate network.
VLAN trunks
We can interconnecting switches to create bigger VLANs, these interconnections are called trunk links. Trunk links generally are faster than the VLANs they are connecting, because these links sometimes need to carry the traffic of more than one VLANs.
A simple case is extending a VLAN (say VLAN 10) to another switch. In order to do that, we configure VLAN 10 on the second switch, then connect a VLAN 10 port on the first switch to a VLAN 10 port on the second switch with a cable. By default, these connected ports act as a trunk link between these two switches. However, since these ports pass traffic only for the VLAN 10, this type of link, in which traffic for only a single VLAN is passed, is referred to as an access link, as opposed to a trunk link, which carries traffic for multiple VLANs.
When multiple VLANs need to pass traffic between switches, we need to assign an access link for each VLAN, which occupies lots of switch ports. These VLANs can share a single trunk link instead of having a dedicated access link for each one of them. Now VLANs traffic are mixed in the shared trunk link, therefore, at the receiving switch, in order to identify the destination VLAN's traffic, VLAN tagging is used.
Inter-Switch Link (ISL) and 802.1q are two of the tagging technologies. ISL is a Cisco proprietary VLAN tagging method; 802.1q is an open standard both cisco and non-cisco switches support.
ISL and 802.1q are similar in operation. ISL for example, tags a frame as it leaves a switch, the tagging adds additional information to the frame about which VLAN the frame belongs to. When the tagged frame reaches the port at the receiving switch, the switch looks at the ISL header, determines which VLAN the frame belongs to, then removes the ISL tag, then forwards the frame into the VLAN specified in the VLAN tagging.
After VLAN tagging has been configured on the ports associated with the link connecting switches, the link is known as a trunk link.
We have talked enough about VLANs and VLAN trunks, lets put all these concepts together by configure VLANs involving a few PCs, 2 cisco swithces and a router. The following video demonstrates how to configure VLANs and VLAN trunks, it also shows how to configure a router to route traffic between VLANs (router on a stick).
[ICND1 and ICND2 break down]
A simple case is extending a VLAN (say VLAN 10) to another switch. In order to do that, we configure VLAN 10 on the second switch, then connect a VLAN 10 port on the first switch to a VLAN 10 port on the second switch with a cable. By default, these connected ports act as a trunk link between these two switches. However, since these ports pass traffic only for the VLAN 10, this type of link, in which traffic for only a single VLAN is passed, is referred to as an access link, as opposed to a trunk link, which carries traffic for multiple VLANs.
When multiple VLANs need to pass traffic between switches, we need to assign an access link for each VLAN, which occupies lots of switch ports. These VLANs can share a single trunk link instead of having a dedicated access link for each one of them. Now VLANs traffic are mixed in the shared trunk link, therefore, at the receiving switch, in order to identify the destination VLAN's traffic, VLAN tagging is used.
Inter-Switch Link (ISL) and 802.1q are two of the tagging technologies. ISL is a Cisco proprietary VLAN tagging method; 802.1q is an open standard both cisco and non-cisco switches support.
ISL and 802.1q are similar in operation. ISL for example, tags a frame as it leaves a switch, the tagging adds additional information to the frame about which VLAN the frame belongs to. When the tagged frame reaches the port at the receiving switch, the switch looks at the ISL header, determines which VLAN the frame belongs to, then removes the ISL tag, then forwards the frame into the VLAN specified in the VLAN tagging.
After VLAN tagging has been configured on the ports associated with the link connecting switches, the link is known as a trunk link.
Cisco lab
We have talked enough about VLANs and VLAN trunks, lets put all these concepts together by configure VLANs involving a few PCs, 2 cisco swithces and a router. The following video demonstrates how to configure VLANs and VLAN trunks, it also shows how to configure a router to route traffic between VLANs (router on a stick).
[ICND1 and ICND2 break down]
No comments:
Post a Comment