The deployment of flat, Layer 2 switched networks has dramatically impacted the corporate LAN. By eliminating the latency caused by Layer 3 routing, Layer 2 switching has allowed time-sensitive applications to flourish. Unfortunately, as switched networks grow, you start to realize why we had routed networks in the first place. In an enterprise network, some Layer 3 routing is inevitable. However, at the access layer, Virtual LANs (VLANs) can provide some of the benefits of Layer 3 routing without the latency.
Knowing when to move to VLANs can be difficult. By looking at some of the advantages of VLANs, the network administrator can decide if VLANs are a viable solution for his/her network problems.
Many of the protocols used in the modern LAN make excessive use of broadcasts. By default, Layer 3 devices (i.e., routers) block these broadcasts from traveling between network segments. However, in a flat, switched network, broadcasts travel throughout the entire network and are seen by every PC connected to the wire. In a large LAN, broadcasts can overwhelm the network and eventually lead to network failure.
Now the problem has gone full circle and we are back to needing Layer 3 routing again, right? Well, not exactly. By dividing switch ports into VLANs, separate broadcast domains are created. For example, if we have groups of users connected to Ethernet ports 1 through 24 on a Cisco Catalyst 2900 series switch, each group would be a member of the same broadcast domain. By configuring each switch port as a separate VLAN, we could divide the broadcast domains into 24 separate VLANS. A more likely scenario may be that users on ports 1 through 12 would be on one VLAN and users on ports 13 through 24 would be on another VLAN. Using this scenario, if all groups were generating the same amount of broadcast traffic, you would cut the broadcasts seen by each switch port in half.
When a group of users belongs to the same broadcast domain, all of the network traffic generated within that broadcast domain is accessible by each user. Thus, if a user is running a packet sniffer, they can see every frame that crosses the network. Security issues result when programs send data that is highly sensitive, such as human resource or payroll data. In this situation, a sniffer could access the data being transferred. By implementing VLANs, areas such as human resources can be split into their own broadcast domains, thereby prohibiting other areas from access to sensitive data transmitted over the LAN. In addition, because an administrator assigns each switch port to a particular VLAN, they can control which devices have access to a particular VLAN. For example, if all human resource PCs are a member of VLAN 10, the network administrator can collect the MAC addresses from the human resource PCs and allow only those MAC addresses to connect to VLAN 10.
Keeping track of which MAC address is assigned to a particular VLAN and switch port can be a difficult task. To help manage this process, Cisco offers a program called VLAN Membership Policy Server (VMPS). VMPS can dynamically assign switch ports to a particular VLAN based on the end station’s MAC address. Additionally, VMPS can deny access to any MAC address that is not a member of a particular VLAN. This can significantly reduce network administration and increase network security.
If you’ve been in the industry for a while, you’re probably thinking, “VLANs are great, but we were able to provide the same functionality with routers, so why did we implement Layer 2 switching in the first place?” The answer is: to reduce network latency.
Every packet that crosses a router’s interface must be read at Layer 3 and a new MAC header must be created. Reading a packet’s Layer 3 addressing information and creating a new MAC header causes latency. However, when a packet is switched through a network, the Layer 2 address is read and the packet is forwarded, filtered, or flooded. The MAC header is not recreated and this dramatically reduces latency.
Keeping your users happy
The last and most important reason for deploying VLANs is to keep your users happy. VLANs use network bandwidth more efficiently, reduce broadcasts, and increase security. What could make your users happier than that?
Warren Heaton Jr., MCSE+I, CCNP, CCDP is the Cisco Program Manager for A Technological Advantage in Louisville, KY.If you'd like to share your opinion, please post a comment below or send the editor an e-mail.