There are many different types of devices in the typical data center that require multihoming (multiple network adapters) to tie in to multiple network segments. As the number of those systems increase, it becomes more and more difficult to provide the network infrastructure (due to the sheer number of Ethernet connections that need to be provided) from the perspective of cost, space, and wire management.
A technology called VLAN trunking, once primarily the domain of network switches, has now trickled down to the rest of the data center and can help address the multihoming problem. With VLAN trunking, it is now possible for these multihoming devices to be multihoming in function without the need for multiple physical network adapters and the additional infrastructure associated with them.
VLAN trunking allows a single network adapter to behave as X number of virtual network adapters, where X has a theoretical upper limit of 4096, but is typically limited to 1000 network switches. In the case where a single gigabit Ethernet adapter is trunked in place of using multiple FastEthernet adapters, higher performance at a lower cost while increasing flexibility can be achieved. This really is the best of all worlds. I’m going to give you an overview of VLAN trunking and how it can be used.
VLAN trunking requirements
VLAN trunking requires that the network switch, the network adapter, and the drivers for the operating system all support VLAN tagging in order for them to trunk. Almost any enterprise grade switch made by Cisco, Extreme, Foundry, and others support VLANs (802.1q).
A few examples of this on the smaller scale are Cisco’s 2950 series and Netgear’s FSM726. Most high-end client adapters support VLAN trunking, but one of the most common ones you will find is the Intel Pro/100 and Pro/1000, which are often included on server manufacture motherboards. For those systems without an integrated Intel adapter, a separate Pro/1000 PCI card can be bought for as little $40. Drivers support on the Intel adapters are excellent and covers almost everything from BSD to Linux to Windows client and server operating systems. My follow up article on how to actually implement VLAN trunking will focus on Cisco and Intel equipment.
Applications of VLAN trunking
Network devices that need multihoming capability and can benefit from VLAN trunking include:
- Transparent proxy servers
- VMware hosts
- Wireless Access Points (WAPs)
Routers can become infinitely more useful once they are trunked in to the enterprise switch infrastructure. Once trunked, they become omnipresent and can provide routing services to any subnet in any corner of the enterprise network. This is, in essence, what a routing module in a high-end core or distribution L3 (Layer 3) switch provides.
VLAN trunking can be a poor man’s substitute for a high-end routing module on a switch, or it can complement the high-end L3 switch by providing additional isolated routed zones for test labs, guest networks, and any other network segment that requires isolation.
Firewalls are another device that can greatly benefit from VLAN trunking now that all the big players like Cisco, Nokia/CheckPoint, and NetScreen support it. In today’s high stakes environment where security concerns are ever increasing, the more firewall zones (subnets connected by separate virtual or physical network adapters) that a firewall provides the better.
With the exception of a few firewalls (such as NetScreen), firewalls can only block potentially hazardous traffic between zones and not traffic within the same zone. Therefore, the more you separate devices like routers and servers by logical function and security level, the better off you are since you can limit unnecessary traffic and mitigate many security threats. Since VLAN trunking provides a nearly unlimited number of virtual network connections, at a lower cost and higher performance, it is the perfect addition to firewalls.
For more on firewall design and security, you can read these two articles:
- Understand how to design a secure firewall policy
- Increase firewall protection with a better network topology
Transparent proxy servers such as a Windows server running Microsoft IAS or a Linux server running Squid can now be built with a single gigabit Ethernet adapter (again, this costs as little as $40). A traditional proxy server can be built with a single network connection, but a transparent proxy server usually cannot. Since transparent proxy servers can be implemented with zero client deployment, they are a very attractive solution. Trunking just makes it that much easier and cheaper to implement.
VMware hosts are servers that host multiple virtual servers for the purpose of server virtualization or system modeling for laboratory testing and research. Although VMware already provides the ability to have multiple VLANs within the VMware host, its ability to connect those VLANs to physical VLANs is limited to the number of network adapters on the VMware host. A VMware host can provide up to three network connections to each virtual machine. Since applications cannot tell the difference between a virtual adapter and a physical one, a VMware host armed with a trunked interface is significantly more flexible and simpler to manage.
One of the hottest new applications of VLAN trunking is wireless networking. The new Cisco AP 1200, for example, can behave as 16 virtual wireless LAN infrastructures. Some VLANs can be used for low security guest Internet access, others for minimum security enterprise users, and administrators can be put on a high security VLAN with enhanced firewall permissions.
All this can be achieved using a single Wi-Fi infrastructure to emulate up to 16 Wi-Fi infrastructures. The Cisco AP 1200 does this by assigning each of the 16 VLANs it’s own Wi-Fi SSID, so when you look at it from NetStumbler (a free wireless sniffer), you will think you are looking at up to 16 different wireless networks. Those 16 VLANs are then trunked over the AP 1200’s FastEthernet port. This offers terrific flexibility in wireless LAN design and deployments.
How VLAN trunking works
There are several types of VLAN encapsulation. The two most common types are Cisco’s proprietary ISL (Inter Switch Link) and the IEEE 802.1q specification. ISL is an older standard that Cisco was using to connect its switches and routers, but now that 802.1q is ratified, all of the newer Cisco gear either supports both ISL and 802.1q or only 802.1q. Older Cisco equipment may only support ISL trunking, so you must look up the individual specifications of your gear before attempting to connect them.
The 802.1q standard works by injecting a 32-bit VLAN tag into the Ethernet frame of all network traffic, and 12 of those bits define the VLAN ID. The VLAN ID simply declares what VLAN the Ethernet frame belongs to, and the switch uses that ID to sort out and place the frames in their proper VLANs. Once a frame reaches the end of the line or hits a non-trunked port, the VLAN tag is stripped from the frame because it no longer needs it. This also means that if you attempt to trunk a host to a non-trunked port, it obviously will not work because that non-trunked port will strip the VLAN tags upon entry. Note that there are important security implications when using VLAN technology. I will elaborate on that in a future article on VLAN Layer 2 security.
VLAN trunking is worth the effort
Given that a VLAN tag must be inserted into each and every Ethernet frame, it does mean that there is a little overhead in terms of slightly increased frame sizes and some CPU overhead required to inject the tags. Because of this, separate physical network adapters will always perform better than virtual network adapters on a single adapter of the same speed. But remember, this performance deficiency is quickly reversed if a single gigabit Ethernet adapter is used in place of multiple FastEthernet adapters. Plus, given all the rewards of VLAN trunking, the small overhead is more than justified.