Prepared By:

1. SAURABH CHAKRABARTHI

WHERE IS WHAT

1.Abstract 3

2.Introduction 4

3.History Of VLAN 5

4.VLAN in details 6

5.Type Of VLAN 7

6.Implementation 10

7.Protocol And Design 11

8.Benefits of VLAN 13

9.Drawbacks 14

10.Conclusion 16

ABSTRACT

A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same network switch. Network reconfiguration can be done through software instead of physically relocating devices.

To physically replicate the functions of a VLAN, it would be necessary to install a separate, parallel collection of network cables and switches/hubs which are kept separate from the primary network. However unlike a physically separate network, VLANs must share bandwidth; two separate one-gigabit VLANs using a single one-gigabit interconnection can both suffer reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports, tagging frames when entering VLAN, lookup MAC table to switch/flood frames to trunk links, and untagging when exit from VLAN.)

INTRODUCTION

VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.

This is also useful if someone wants to create multiple Layer 3 networks on the same Layer 2 switch. For example, if a DHCP server (which will broadcast its presence) is plugged into a switch it will serve any host on that switch that is configured to get its IP from a DHCP server. By using VLANs you can easily split the network up so some hosts won't use that DHCP server and will obtain link-local addresses, or obtain an address from a different DHCP server.

Virtual LANs are essentially Layer 2 constructs, compared with IP subnets which are Layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs. Virtual LANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process.

By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.

HISTORY OF VLANs:

In 1984, Dr. W. David Sincoskie was attempting to develop Voice over Ethernet for Bellcore. His early estimates figured that a successful network would need roughly a terabit of bandwidth to function. Since at this time routing was slow and complex, the solution was to make an Ethernet-based system which would scale. The problem with a traditional Ethernet-switched network was that it operates as a spanning tree and suffers from the fact that the roots prove to be bottlenecks. Since the speeds being dealt with would total 1 terabit, and 100Mb ethernet was still theoretical, current ethernet systems could not be used and another solution was needed. Another downside to a traditional Ethernet-based solution was that there was always a single point of failure. Dr. Sincoskie hypothesized that the bridging algorithm could be applied to spanning trees in order to create smaller segregated networks which would reduce the bandwidth needed at each root in the tree.[1] In order to allow this to happen, a tree number would need to be inserted into each packet, either implicitly or through the creation of an additional field. This additional field is what is now known in the Ethernet frame as the 802.1Q header, or the VLAN tag. Dr. Sincoskie referred to it as the multitree bridge. With the help of Dr. Chase Cotton, the two created and refined the algorithms (called the Extended Bridge Algorithms for Large Networks) necessary to make the system feasible and published their results in the 1988 IEEE Network.

VLANs IN DETAILS

A VLAN is a logically separate IP sub network.

VLANs allow multiple IP networks and subnets to exist on the same switched network.

For computers to communicate on the same VLAN, each must have an IP address and a subnet mask that is consistent for that VLAN.

The switch has to be configured with the VLAN and each port in the VLAN must be assigned to the VLAN.

A switch port with a singular VLAN configured on it is called an access port.

Remember, just because two computers are physically connected to the same switch does not mean that they can communicate.

Devices on two separate networks and subnets must communicate via a router (Layer 3), whether or not VLANs are used.

Types of VLANs

There are basically 3 types of VLANs:

1. DATA VLAN

2. Default VLAN

3. Default VLAN

DATA VLAN:

Data VLAN - a VLAN that is configured to carry only user-generated traffic.

It is common practice to separate voice and management traffic from data traffic.

A data VLAN is sometimes referred to as a user VLAN.

Default VLAN

All switch ports become a member of the default VLAN after initial bootup of the system.

Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain.

This allows any device connected to any switch port to communicate with other devices on other switch ports.

The default VLAN for Cisco switches is VLAN 1.

VLAN 1 has all the features of any VLAN, except that you cannot rename it and you cannot delete it.

Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed.

In the figure, VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches.

It is a security best practice to change the default VLAN to a VLAN other than VLAN 1; this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1.

Native VLAN

A native VLAN is assigned to an 802.1Q trunk port.

An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic).

The 802.1Q trunk port places untagged traffic on the native VLAN.

In the figure, the native VLAN is VLAN 99.

Untagged traffic is generated by a computer attached to a switch port that is configured with the native VLAN.

IMPLEMENTATION

A basic switch not configured for VLANs will either have VLAN functionality disabled, or will have it permanently enabled with what is known as a default VLAN which simply contains all ports on the device as members.

Configuration of the first custom VLAN port group usually involves subtracting ports from the default VLAN, such that the first custom group of VLAN ports is actually the second VLAN on the device, apart from the default VLAN. The default VLAN typically has an ID of 1.If a VLAN port group were to only exist on the one device, all ports that are members of the VLAN group only need to be "untagged". It is only when the port group is to extend to another device that tagging is used. For communications to occur from switch to switch, an uplink port needs to be a tagged member of every VLAN on the switch that uses that uplink port, including the default VLAN.

Some switches either allow or require a name be created for the VLAN, but it is only the VLAN group number that is important from one switch to the next.

Where a VLAN group is to simply pass through an intermediate switch via two pass-through ports, only the two ports need to be a member of the VLAN, and are tagged to pass both the required VLAN and the default VLAN on the intermediate switch.

Management of the switch requires that the management functions be associated with one of the configured VLANs. If the default VLAN were deleted or renumbered without moving the management to a different VLAN first, it is possible to be locked out of the switch configuration, requiring a forced clearing of the device configuration to regain control.

Switches typically have no built-in method to indicate VLAN port members to someone working in a wiring closet. It is necessary for a technician to either have management access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet. These charts must be manually updated by the technical staff whenever port membership changes are made to the VLANs.

Remote configuration of VLANs presents several opportunities for a technician to accidentally cut off communications and lock themselves out of the devices they are attempting to configure. Actions such as subdividing the default VLAN by splitting off the switch uplink ports into a separate new VLAN can suddenly cut off all remote communication, requiring the technician to physically visit the device in the distant location to continue the configuration process.

PROTOCOLS AND DESIGN

The protocol most commonly used today in configuring virtual LANs is IEEE 802.1Q. The IEEE committee defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco's ISL (Inter-Switch Link) and 3Com's VLT (Virtual LAN Trunk). Cisco also implemented VLANs over FDDI by carrying VLAN information in an IEEE 802.10 frame header, contrary to the purpose of the IEEE 802.10 standard.

Both ISL and IEEE 802.1Q tagging perform "explicit tagging" - the frame itself is tagged with VLAN information. ISL uses an external tagging process that does not modify the existing Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and so does modify the Ethernet frame. This internal tagging is what allows IEEE 802.1Q to work on both access and trunk links: frames are standard Ethernet, and so can be handled by commodity hardware.

The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte tag protocol identifier (TPID) and a 2-byte tag control information (TCI). The TPID has a fixed value of 0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information. The TCI contains the following elements:

Three-bit user priority One-bit canonical format indicator (CFI)

Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs

The 802.1Q standard can create an interesting scenario on the network. Recalling that the maximum size for an Ethernet frame as specified by IEEE 802.3 is 1518 bytes, this means that if a maximum-sized Ethernet frame gets tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3 standard. To resolve this issue, the 802.3 committee created a subgroup called 802.3ac to extend the maximum Ethernet size to 1522 bytes. Some network devices that do not support a larger frame size will process the frame successfully but may report these anomalies as a "baby giant."

Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect multiple switches and maintain VLAN information as traffic travels between switches on trunk links. This technology provides one method for multiplexing bridge groups

(VLANs) over a high-speed backbone. It is defined for Fast Ethernet and Gigabit Ethernet, as is IEEE 802.1Q. ISL has been available on Cisco routers since Cisco IOS Software Release 11.1.

With ISL, an Ethernet frame is encapsulated with a header that transports VLAN IDs between switches and routers. ISL does add overhead to the packet as a 26-byte header containing a 10-bit VLAN ID. In addition, a 4-byte CRC is appended to the end of each frame. This CRC is in addition to any frame checking that the Ethernet frame requires. The fields in an ISL header identify the frame as belonging to a particular VLAN.

A VLAN ID is added only if the frame is forwarded out a port configured as a trunk link. If the frame is to be forwarded out a port configured as an access link, the ISL encapsulation is removed.

Early network designers often configured VLANs with the aim of reducing the size of the collision domain in a large single Ethernet segment and thus improving performance. When Ethernet switches made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the broadcast domain at the MAC layer. Virtual networks can also serve to restrict access to network resources without regard to physical topology of the network, although the strength of this method remains debatable as VLAN Hopping [4] is a common means of bypassing such security measures.

Virtual LANs operate at Layer 2 (the data link layer) of the OSI model. Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving Layer 3 (the network layer). In the context of VLANs, the term "trunk" denotes a network link carrying multiple VLANs, which are identified by labels (or "tags") inserted into their packets. Such trunks must run between "tagged ports" of VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking ). A router (Layer 3 device) serves as the backbone for network traffic going across different VLANs.

BENEFITS OF VLAN

Security - Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches.

Faculty computers are on VLAN 10 and completely separated from student and guest data traffic.

Cost reduction - Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.

Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.

Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm.

In the figure you can see that although there are six computers on this network, there are only three broadcast domains: Faculty, Student, and Guest.

Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN.

When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned.

It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name.

In the figure, for easy identification VLAN 20 could be named "Student", VLAN 10 could be named "Faculty", and VLAN 30 "Guest."

DRAWBACKS OF VLAN

Though VLAN has so many benefits yet there are certain drawbacks:

Native VLAN Mismatches VLAN and IP subnet

Ip connectivity failing on certain VLANs

Native VLAN Mismatches

VLAN and IP subnet

CONCLUSION:

With the deployment of large numbers of switch ports, VLAN has become an indispensable tool for the network administration to segment the network to increase bandwidth per user, provide security, and provision multimedia service. The evolution of VLAN as a simple broadcast containment device to a necessary function in the network propels VLAN to be the number 1 tool in an IT professional’s bag of tricks.

Even though there are some practical problems associated with it but VLAN has evolved as a great tool.

BIBILIOGRAPHY:

Virtual LAN – Wikipedia Virtual LAN – MICREL incorporated

Virtual LANs – Data communication and Networking, B.A. Forouzan