Networking

Microsegment your network with a virtual LAN

Virtual LANs can help switched networks microsegment traffic. But, what issues do virtual LANs raise, and how do they work? Warren Heaton has the answers in this week's Consultant's Corner.

Switching is a great solution for creating high-speed, low latency networks. Unfortunately, as switched networks grow, manageability, broadcast/multicast frames, and security can become a real problem.

Cisco’s virtual LAN (VLAN) technology can help alleviate these problems and keep your high-speed switched network running smoothly and efficiently.

What is a VLAN?
A VLAN is a logical group of network clients and resources administratively assigned to ports on a switch. A VLAN becomes its own broadcast domain. This means that broadcasts and multicasts are forwarded only to members of the same VLAN.

VLANs can be created and organized by function, location, or business unit. This functionality provides for greater scalability and better support for roving users.

A single VLAN can support up to 1,000 users. However, for ease of management, Cisco recommends having no more than 200 users per VLAN.

Switching
A LAN switch forwards frames based on the frame’s Layer 2 (MAC address). Because switches operate at Layer 2 (as opposed to routers that operate at Layer 3), a switch reads fewer bytes of the frame before forwarding the frame to its destination. This allows switches to operate with less latency than routers.

Additionally, when you have only one user per segment, each user receives access to the full bandwidth available without having to compete with other users for network bandwidth. This increases the speed and reliability of data transmissions.

However, unlike routers, switches do not maintain complex routing information. Therefore, switches must flood all broadcast and multicast packets out of all ports.

Broadcast and multicast
Many applications and protocols use broadcasts and multicast packets to communicate. Depending on the application, broadcasts and multicasts can consume network bandwidth and decrease the efficiency of the network. This is particularly true with multimedia applications.

By dividing users of high bandwidth applications into separate VLANs, you can limit their traffic to specific segments of the switch. The division then preserves bandwidth for other users.

Security
In a traditional switch-based network, if a user plugged into a switch, that user would have access to any resource on the network. VLANs require administrators to configure each port and assign resources to each VLAN. This means that a user cannot just plug into the switch and begin using resources. Rather, the user must be administratively assigned to a VLAN group.

Scalability and manageability
As networks grow, traffic on individual segments increases. VLANs can be created to manage the growth by grouping users who frequently communicate into the same VLAN. A rule of thumb is to follow the old 80/20 rule. That means that 80 percent of the traffic should remain within the local broadcast domain, or VLAN. Conversely, only 20 percent of the traffic should be forwarded out of the VLAN.

Warren Heaton CCDA, CCNA, MCSE+I is the Cisco Program Manager for A Technological Advantage in Louisville, KY.

If you'd like to share your opinion, please post a comment below or send the editor an e-mail.
0 comments

Editor's Picks