VLAN

A virtual local area network, virtual LAN or VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together even if they are not located on the same network switch. LAN membership can be configured through software instead of physically relocating devices or connections.

To physically replicate the functions of a VLAN, it would be necessary to install a separate, parallel collection of network cables and equipment which are kept separate from the primary network. However unlike a physically separate network, VLANs must share bandwidth; two separate one-gigabit VLANs using a single one-gigabit interconnection can both suffer reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports, tagging frames when entering VLAN, lookup MAC table to switch/flood frames to trunk links, and untagging when exit from VLAN.)

VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.

This is also useful if someone wants to create multiple layer 3 networks on the same layer 2 switch. For example, if a DHCP server is plugged into a switch it will serve any host on that switch that is configured to get its IP from a DHCP server. By using VLANs you can easily split the network up so some hosts won't use that DHCP server and will obtain link-local addresses, or obtain an address from a different DHCP server.

VLANs are layer 2 constructs, compared with IP subnets which are layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN. VLANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process.

By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.

After successful experiments with voice over Ethernet from 1981 to 1984, Dr. W. David Sincoskie joined Bellcore and turned to the problem of scaling up Ethernet networks. At 10 Mbit/s, Ethernet was faster than most alternatives of the time; however, Ethernet was a broadcast network and there was not a good way of connecting multiple Ethernets together. This limited the total bandwidth of an Ethernet network to 10 Mbit/s and the maximum distance between any two nodes to a few hundred feet.

By contrast, the existing telephone network's peak speed for individual connections was limited to 56 Kbit/s, less than one hundredth the speed of Ethernet, but the total bandwidth of the network was estimated to be a terabit, capable of moving over a hundred thousand times more information.

IP routing could be used to connect multiple Ethernet networks together; however, the VAX-11/780 computers commonly used as routers cost $400,000 each and their total throughput was significantly less than Ethernet speeds. Sincoskie started looking for alternatives that required less processing per packet. In the process he independently reinvented the self-learning ethernet switch.^[1]

However, using switches to connect multiple Ethernet networks require a spanning tree configuration. This means that there is exactly one path from any source address to any destination. This causes centrally-located switches to become bottlenecks, which limits scalability as more connections are interconnected.

To help alleviate this problem, Sincoskie invented VLANs by adding a tag to each Ethernet packet. These tags could be thought of as colors, say red, green, or blue. Then each switch could be assigned to handle packets of a single color, and ignore the rest. The networks could be interconnected with three different spanning trees: a red spanning tree, a green spanning tree, and a blue spanning tree. By sending a mix of different packet colors, the aggregate bandwidth could be improved. Sincoskie referred to this as a multitree bridge. With the help of Chase Cotton, the two created and refined the algorithms (called the Extended Bridge Algorithms for Large Networks) necessary to make the system feasible.^[2]

This "color" is what is now known in the Ethernet frame as the 802.1Q header, or the VLAN tag. While VLANs are commonly used in modern Ethernet, using them for the original purpose would be rather unusual.

A basic switch not configured for VLANs will either have VLAN functionality disabled, or will have it permanently enabled with what is known as a default VLAN which simply contains all ports on the device as members.

Configuration of the first custom VLAN port group usually involves subtracting ports from the default VLAN, such that the first custom group of VLAN ports is actually the second VLAN on the device, apart from the default VLAN. The default VLAN typically has an ID of 1. munications to occur from switch to switch, an uplink port needs to be a tagged member of every VLAN on the switch that uses that uplink port, including the default VLAN.

Some switches either allow or require a name be created for the VLAN, but it is only the VLAN group number that is important from one switch to the next.

Where a VLAN group is to simply pass through an intermediate switch via two pass-through ports, only the two ports need to be a member of the VLAN, and are tagged to pass both the required VLAN and the default VLAN on the intermediate switch.

Management of the switch requires that the management functions be associated with one of the configured VLANs. If the default VLAN were deleted or renumbered without moving the management to a different VLAN first, it is possible to be locked out of the switch configuration, requiring a forced clearing of the device configuration to regain control.

Switches typically have no built-in method to indicate VLAN port members to someone working in a wiring closet. It is necessary for a technician to either have management access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet. These charts must be manually updated by the technical staff whenever port membership changes are made to the VLANs.

Remote configuration of VLANs presents several opportunities for a technician to accidentally cut off communications and lock themselves out of the devices they are attempting to configure. Actions such as subdividing the default VLAN by splitting off the switch uplink ports into a separate new VLAN can suddenly cut off all remote communication, requiring the technician to physically visit the device in the distant location to continue the configuration process.

The two common approaches to assigning VLAN membership are as follows:

• Static VLANs
• Dynamic VLANs

Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.

Dynamic VLANs are created through the use of software. With a VLAN Management Policy Server (VMPS), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the device queries a database for VLAN membership.

In a protocol based VLAN enabled switch, traffic is forwarded through ports based on protocol. Essentially, the user tries to segregate or forward a particular protocol traffic from a port using the protocol based VLANs; traffic from any other protocol is not forwarded on the port. For example, if you have connected a host, pumping ARP traffic on the switch at port 10, connected a Lan pumping IPX traffic to the port 20 of the switch and connected a router pumping IP traffic on port 30, then if you define a protocol based VLAN supporting IP and including all the three ports 10, 20 and 30 then IP packets can be forwarded to the ports 10 and 20 also, but ARP traffic will not get forwarded to the ports 20 and 30, similarly IPX traffic will not get forwarded to ports 10 and 30.

VLAN Cross Connect (CC) is a mechanism used to create Switched VLANs, VLAN CC uses IEEE 802.1ad frames where the S Tag is used as a Label as in MPLS . IEEE approves the use of such a mechanism in par 6.11 of IEEE 802.1ad-2005.

• IEEE 802.1Q
• MVRP Multiple VLAN Registration Protocol (formerly GVRP GARP VLAN Registration Protocol)
• Private VLAN
• Virtual network
• VoIP recording
• VPLS Virtual Private LAN Service
• VPN Virtual private network
• SVI Switch virtual interface

• Andrew S. Tanenbaum, 2003, "Computer Networks", Pearson Education International, New Jersey.

• IEEE's 802.1Q standard 1998 version (2003 version)(2005 version)
• Cisco Systems
  • Cisco home page for Virtual LANs/VLAN Trunking Protocol (VLANs/VTP) (discusses DSL, DTP, GVRP, ISL, VTP, 802.1Q)
  • Cisco's Overview of Routing between VLANs
  • Cisco's Bridging Between IEEE 802.1Q VLANs white paper
• University of California's VLAN Information
• OpenWRT guide to VLANs: Provides a beginners' guide to VLANs
• Study of VLAN usage in Purdue University's Campus Network
• Towards Systematic Design of Enterprise Networks: Demonstrates how to systematically produce a VLAN design
• Some FAQ about VLANs
• Interactive VLAN Basics Simulation