51-10-06 DATA COMMUNICATIONS MANAGEMENT VIRTUAL LANS Gilbert Held INSIDE Definition, Rationale, Support for Virtual Networking Requirements, Facilitating Adds, Moves, and Changes, Enhancing Network Performance, Enhancing Network Security, Implicit Tagging, Explicit Tagging INTRODUCTION This article discusses the rationale for virtual local area networks (VLANs), their construction methods, and emerging standards. Since it may be late 1997 or early 1998 when VLAN standards are agreed upon, readers may prefer to satisfy their virtual networking requirements using proprietary equipment. In doing so, this article will serve as a guide, as it covers basic construction techniques to include compatibility issues associated with attempting to construct a network using equipment from different vendors. DEFINITION A virtual LAN (VLAN) represents a logical broadcast domain established on a physical network topology. To illustrate the effect of this definition, the focus will be on an Ethernet switch. Exhibit 1 illustrates an eight-port Ethernet switch used to connect six workstations to two servers. In this example, the eight ports are labeled 0 through 7 and represent the eight physical ports built into the switch. Assume workstations connected to Ethernet switch ports 0 through 2 and 6 represent computers and a server that belong to the engineering department. Also assume that workstations connected to Ethernet switch ports 3 through 5 and 7 represent computers and a server that belong to the sales department. If the Ethernet switch is capable of supporting the creation of VLANs based on the physical port that devices are connected to, two virtual LANs could be constructed. The engineering depart- PAYOFF IDEA Imagine a virtual organization in which employees can be assigned to a project regardless of their geographical location and obtain the ability to easily communicate. Although this capability might have been a wish just a few years ago, today it is a reality due to the capability of a new communications technology known as virtual local area networking, or VLAN. 02/98 Auerbach Publications 1998 CRC Press LLC
EXHIBIT 1 Using An Ethernet Switch ment VLAN could be established to form a broadcast domain consisting of switch ports 0 through 2 and 6. In comparison, the sales department could have a VLAN established by logically grouping switch ports 3 through 5 and 7 into a broadcast domain. Exhibit 2 illustrates the logical establishment of the two virtual LANs on the physical topology of the eight-port Ethernet switch. In examining the two VLANs established in Exhibit 2, note that each represents a broadcast domain separate from the other. This separation can represent a problem if, for example, a workstation on one VLAN requires access to a server assigned to a different VLAN. Later in this article, interoperability issues will be examined when the different VLAN construction techniques are described. Rationale There are several key reasons that form the basis for organizations building virtual LANs. Those reasons include supporting the virtual networking requirements of an organization, facilitating adds, moves, and changes, enhancing network performance, and enhancing network security. Each of these reasons will be discussed briefly to obtain an appreciation for how the use of VLAN technology may be able to enhance an organization s networking operations.
EXHIBIT 2 Establishing VLANs Based on Switch Port Connection Support for Virtual Networking Requirements A virtual LAN represents a logically created broadcast domain. As such, it is not restricted to following the exact topology of a LAN. Instead, it must reside within the physical topology of a LAN. This means a VLAN can be constructed, modified, and deleted in tandem with the assignment of personnel to a project that requires communications support. In addition, the construction and modification of stations into a broadcast domain can correspond to the computers attached to LANs and used by employees assigned to a particular project. Thus, a VLAN can be used to support the virtual networking requirements of an organization. Facilitating Adds, Moves, and Changes A VLAN associates network nodes into a broadcast domain based on a predefined networking characteristic, such as a switch port. By adding, deleting, or modifying the characteristics used to define network nodes to a broadcast domain, one obtains the capability to add, modify, or delete members in the VLAN. Thus, a VLAN facilitates adds, moves, and changes.
Enhancing Network Performance Many upper-layer protocols use broadcast packets to advertise the presence of certain network devices. In doing so, such packets can flood a network as they are repeated by bridges onto other network segments, even if no device on the new segment requires the service of the device. For example, in a Novell NetWare environment, servers transmit a Service Advertising Protocol (SAP) Packet every 60 seconds. Since broadcast packets or frames originating on one VLAN do not normally flow onto other VLANs, the use of VLANs can improve performance as broadcast packets can be restricted to specific domains requiring knowledge of server offerings. Enhancing Network Security Although a VLAN is not a security device and does not provide such services as encryption, authentication, and verification, it can provide enhanced network security. The reason it can do so is due to the fact that transmissions are normally restricted to predefined broadcast domains. This means that only a member of the broadcast domain will normally receive a packet originated by another member of the VLAN domain. Conversely, this also can result in a network user that is not a member of the domain having an inability to receive packets sent on the domain. Thus, a common method used to breach security by the connection of a LAN monitor to read all network packets would not normally work if the user attempting to use the monitor was not a member of the VLAN. An exception to the use of VLANs to enhance network security is discussed later in this article. Construction Methods There are two basic methods used to construct VLANs implicit and explicit tagging. Implicit tagging results in the use of a characteristic or feature of the node connected to a LAN, such as the port on a switch through which a node connects to a network. Through the use of implicit tagging, the LAN frame remains unmodified. In comparison, explicit tagging results in the modification of a LAN frame as it flows through a switch or router, during which a field is added that defines the VLAN associated with a network node. Currently, most work in the area of explicit tagging is being performed by the Institute of Electrical and Electronic Engineers (IEEE) 802.1Q committee. That committee prepared a Project Authorization Request (PAR) in March 1996 that defined the general scope of the VLAN standardization effort. That effort is expected to be finalized in late 1997 or early 1998. In the interim, one can acquire equipment that uses implicit tagging or proprietary explicit tagging. Both techniques are examined in the following paragraphs.
Implicit Tagging There are three main methods of implicit tagging used to create VLANs, with each method corresponding to one of the three lower layers of the International Standards Organization Open System Interconnection (ISO) Reference Model. Those methods include the use of ports, MAC addresses, and protocols that correspond to the Physical Layer, Data Link Layer, and Network Layer, respectively. Inasmuch as the creation of VLANs via port assignments was previously examined, VLANs can also be created using MAC addresses and protocols. The use of MAC addresses to create VLANs provides more flexibility than the use of ports. This is because a segment-based switch would otherwise have to associate all nodes on a segment with a predefined VLAN when VLAN assignments occur based on associating a port connection to a virtual LAN. Exhibit 3 illustrates an eight-port switch that supports both VLAN creation via MAC addresses and segment switching. For simplicity, MAC addresses are shown as two hex digits instead of their IEEE 6-byte or 48-bit address. In examining Exhibit 3, note that only two segments are shown EXHIBIT 3 VLAN Creation Using MAC Addresses
populated segments A and B. Each of those segments has three workstations, with their MAC addresses shown as A1, A2, A3, and B1, B2, B3 for each segment. When a VLAN is created based on port use, all nodes on a segment are required to be assigned to the same VLAN. For example, if ports 0 and 6 were used to form a VLAN, then nodes with MAC addresses A1, A2, and A3, and server S1 would be assigned to the same broadcast domain. Suppose workstations with MAC addresses A1 and A2 were used by members of the engineering department, while workstations with MAC addresses A3, B1, B2, and B3 were used by members of the sales department. If the creation of VLANs was based on port use, one would have to physically move the workstation whose MAC address is A3 from segment A to segment B if one wanted to create two virtual LANs, each based upon the department the employee using the workstation was assigned to. In comparison, if VLAN creation is based upon a MAC address, one could assign workstations with MAC addresses A1 and A2 to one virtual LAN, while workstations with MAC addresses A3, B1, B2, and B3 could be assigned to the second virtual LAN. Note that this method of VLAN assignment alleviates the necessity to recable the workstation whose MAC address is A3. Although this is clearly advantageous, the use of MAC addresses on segments to establish virtual LANs negates one advantage of virtual LANs enhanced network security. By supporting the creation of VLANs based upon MAC addresses, the broadcast domain must be extended to the entire segment on which a particular MAC address resides. Thus, a packet associated with the VLAN formed by workstations A1 and A2 would be broadcast onto segment A. This means that, with appropriate equipment, the user at the workstation whose MAC address is A3 would be capable of reading packets on a different virtual LAN from the one he or she is assigned to. The third major method used to construct VLANs is based on the protocol used by network nodes. This is a very flexible approach to VLAN creation as it enables workstations and servers to belong to multiple VLANs. For example, returning to Exhibit 3, assume workstations whose MAC addresses are A1 and A2 use a TCP/IP protocol stack, while workstations whose MAC addresses are B1, B2, and B3 use a IPX/SPX protocol stack. Further assume that the workstation whose MAC address is A3 has dual TCP/IP and IPX/SPX protocol stacks. Then, if VLAN creation is based upon protocol used, the workstation whose MAC address is A3 can belong to both virtual LANs. Explicit Tagging Explicit tagging references the physical modification of a LAN frame as it flows through a networking device. That modification adds two or
EXHIBIT 4 Potential IEEE VLAN Tagging Models more fields into a LAN frame. Currently, the IEEE 802.1Q committee has proposed two models of VLAN tagging, referred to as a one-level model and a two-level model. Exhibit 4 illustrates the formats of the one-level and two-level models. Both models are shown for Ethernet and the proposed tagging formats differ for FDDI and Token Ring LANs, which are not illustrated. In the one-level model, the destination and source addresses from the original, untagged Ethernet frame are split apart from the remainder of the frame. Two new fields, labeled Ethertype and VLAN-ID, are inserted. The Ethertype field is used to identify the frame as a tagged packet, while the VLAN-ID field is used to identify the VLAN to which the packet is assigned. For the two-level model, the Virtual Destination and Virtual Source fields represent new addresses added to the frame that represent virtual addresses. The Ethertype field and VLAN-ID fields retain the same meanings as the level-one model; however, through the use of the level-two model, frames can be addressed explicitly. Currently, a large degree of effort remains in developing VLAN standards. For example, such questions as how explicit and implicit tagging methods can co-exist, or will even co-exist, remain to be determined. Another area that remains to be resolved is the effect of extended frames upon many communications products, such as bridges, repeaters, routers, and gateways. For example, the addition of a VLAN-ID field can result in an Ethernet frame carrying a maximum 1500-byte information field, having its total length exceed the maximum allowable Ethernet frame length. When this situation occurs, some communications devices that check frame lengths will treat such frames as errors. This can result in such frames being dropped and could result in session timeouts as the frames are repeatedly retransmitted and dropped prior to their arrival at
their intended destination. Thus, a considerable amount of effort remains prior to explicit tagging becoming a viable VLAN creation method. Interoperability Issues Today, one can acquire VLAN-capable switches and routers from more than 30 vendors. Unfortunately, the ability of a product from one vendor to interoperate with a product from another vendor with respect to their VLAN capability cannot be guaranteed. In fact, due to the lack of standards, one can only configure dissimilar equipment to operate together when implicit tagging is used. When doing so, one must restrict the method of implicit tagging to a common denominator supported by all products, and more than likely manually configure all equipment, as vendor equipment management capability may not be interoperable. Due to this, many organizations commonly acquire VLAN equipment from the same vendor. CONCLUSION Due to explicit tagging being several years away from possible standardization, most virtual LANs will continue to be developed using implicit tagging. This means organizations with immediate requirements to establish virtual LANs should focus their attention on equipment that has an implicit tagging capability. However, since organizations are always looking for methods by which they can economize on the purchase of equipment, network managers and administrators should ensure that the VLAN-capable switches and routers they purchase are software upgradeable. This means that microprocessor-based switches and routers should normally be considered, since such equipment is commonly upgradeable via a ROM change or PROM upgrade. In comparison, lower-cost products based upon the use of Application Specific Integrated Circuits (ASICs) cannot be upgraded. Thus, if an organization anticipates a requirement to obtain the support of explicit tagging once this method of VLAN creation is standardized, it should also consider acquiring upgradeable network devices, even if such devices initially are more costly. Gilbert Held is director of 4-Degree Consulting, a Macon, GA-based high-tech consulting group. He is an internationally recognized author and lecturer, having written more than 40 books and 300 technical articles. He earned a BSEE from Pennsylvania Military College, an MSEE from New York University, and MBA and MSTM degrees from The American University. He has been selected to represent the U.S. at technical conferences in Moscow and Jerusalem and has received numerous awards for excellence in technical writing.