DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Similar documents
The Corporate Intranet Gilbert Held

Network Imaging Techniques Gilbert Held

Using Windows NT in a NetWare Environment Gilbert Held

Evaluating Client/Server Operating Systems: Focus on Windows NT Gilbert Held

Managing Networks with the Global Naming Tree Gilbert Held

Introduction to LAN Protocols

8 VLANs. 8.1 Introduction. 8.2 vlans. Unit 8: VLANs 1

Network Gateway Services John Enck

Chapter 4 NETWORK HARDWARE

NETWORKING COMPONENTS

Unicasts, Multicasts and Broadcasts

Revision of Previous Lectures

Lecture (02) Network Protocols and Standards

Switched Ethernet Virtual LANs

Lecture 2. Computer Networks Models. Network Models 1-1

King Fahd University of Petroleum & Minerals Electrical Engineering Department EE 400, Experiment # 2

Configuring your VLAN. Presented by Gregory Laffoon

Routing Between VLANs Overview

DATA SECURITY MANAGEMENT. Chris Hare INSIDE. What is a Network? Network Devices; Hubs; Repeaters; Bridges; Routers; Switches; Network

Cisco Systems, Inc. Norman Finn. July 9, /12. Class of Service in Class of Service in Norman Finn Cisco Systems

UNDERSTANDING GIGABIT ETHERNET PERFORMANCE

Mixed-Media Bridging

Routing Between VLANs Overview

Chapter 6 Connecting Device

Bridging and Switching Basics

Source-Route Bridging

NetWare Link-Services Protocol

NetWare Protocols. Background CHAPTER

Introduction to LAN Protocols

Internetworking is connecting two or more computer networks with some sort of routing device to exchange traffic back and forth, and guide traffic on

Defining Networks with the OSI Model. Module 2

2. LAN Topologies Gilbert Ndjatou Page 1

Growth. Individual departments in a university buy LANs for their own machines and eventually want to interconnect with other campus LANs.

CS610- Computer Network Solved Subjective From Midterm Papers

Lecture 9: Switched Ethernet Features: STP and VLANs

INTERNETWORKING: CONCEPTS, ARCHITECTURE AND PROTOCOL

Frame Relay. Frame Relay Information 1 of 18

CCNA Exploration1 Chapter 7: OSI Data Link Layer

Introduction. The fundamental purpose of data communications is to exchange information between user's computers, terminals and applications programs.

LANs do not normally operate in isolation. They are connected to one another or to the Internet. To connect LANs, connecting devices are needed.

Network Working Group. Obsoletes: RFC 1103 October 1990

Chapter 7. Local Area Network Communications Protocols

INTRODUCTION TO WINDOWS 2000

Computer Networks. Wenzhong Li. Nanjing University

CS343: Data Communication LAN Overview

Mixed-Media Bridging. Chapter Goals. Background. Translation Challenges CHAPTER

CS164 Final Exam Winter 2013

Configuring Port-Based and Client-Based Access Control (802.1X)

Lecture (05) Network Access layer fundamentals II LAN, & WAN

Chapter 15 Local Area Network Overview

Computer Network : Lecture Notes Nepal Engineering College Compiled by: Junior Professor: Daya Ram Budhathoki Nepal Engineering college, Changunarayan

6 Chapter 6. Figure 1 Required Unique Addresses

Wireless Networks. Lecture 4: Wireless Networking Devices. Assistant Teacher Samraa Adnan Al-Asadi 1

Chapter 6: Network Communications and Protocols

Trademarks. Statement of Conditions by NETGEAR, Inc. All rights reserved.

Module 15: Network Structures

Upon completion of this chapter, you will be able to perform the following tasks: Identify what a VLAN is and how it operates. Configure a VLAN to

Configuring VLANs. Understanding VLANs CHAPTER

Computer Communications and Network Basics p. 1 Overview of Computer Communications and Networking p. 2 What Does Computer Communications and

Chapter Seven. Local Area Networks: Part 1. Data Communications and Computer Networks: A Business User s Approach Seventh Edition

Module 16: Distributed System Structures

Configuring VLANs. Understanding VLANs CHAPTER

CH : 15 LOCAL AREA NETWORK OVERVIEW

Network protocols and. network systems INTRODUCTION CHAPTER

Private and Public addresses. Real IPs. Lecture (09) Internetwork Layer (3) Agenda. By: Dr. Ahmed ElShafee

Data Communication and Network. Introducing Networks

LOCAL AREA NETWORKS Q&A Topic 4: VLAN

Configuring Banyan VINES

Network.... communication system for connecting end- systems. End-systems a.k.a. hosts PCs, workstations dedicated computers network components

Configuring VLANs. Understanding VLANs CHAPTER

CHAPTER 2 - NETWORK DEVICES

Module 16: Distributed System Structures. Operating System Concepts 8 th Edition,

Lecture (03) (I) OSI Reference Model

Token Ring VLANs and Related Protocols

CCNA Cisco Certified Network Associate CCNA (v3.0)

NetWare Protocols. Background. Technology Basics CHAPTER

Troubleshooting Transparent Bridging Environments

Risanuri Hidayat. 13/03/2012 Jurusan Teknik Elektro dan Tekn Informasi UGM

Guide to Networking Essentials, 6 th Edition. Chapter 6: Network Reference Models and Standards

VLAN Configuration. Understanding VLANs CHAPTER

Token Ring VLANs and Related Protocols

7010INT Data Communications Lecture 7 The Network Layer

10Gb/s on FDDI-grade MMF Cable. 5 Criteria Discussion Slides. SG 10Gb/s on FDDI-grade MMF

the larger the number of users and devices, the more broadcasts and packets each switch must handle.

Digital Imaging and Communications in Medicine (DICOM) Part 1: Introduction and Overview

TN3270 AND TN5250 INTERNET STANDARDS

Configuring VLANs. Understanding VLANs CHAPTER

AppleTalk. Chapter Goals. Introduction CHAPTER

ITEC 3800 Data Communication and Network. Introducing Networks

Analysis of Virtual Local Area Networking Technology. Zheng Zhang

Layering in Networked computing. OSI Model TCP/IP Model Protocols at each layer

(a) Client server model (b) MAN (c) Interfaces and services. [4+6+6] FirstRanker

Ch. 4 - WAN, Wide Area Networks

Ethernet Network Redundancy in SCADA and real-time Automation Platforms.

Lecture (04) Using VLANs to segment LANs. Dr. Ahmed M. ElShafee. Dr. Ahmed ElShafee, ACU Spring 2014, Practical Applications in Computer Networks 4.

Configuring VLANs. Understanding VLANs CHAPTER

CCM 4300 Lecture 6 Computer Networks, Wireless and Mobile Communications. Dr Shahedur Rahman. Room: T115

Introduction to Internetworking

Fundamentals of Networking. OSI & TCP/IP Model. Kuldeep Sonar 1

A. ARPANET was an early packet switched network initially connecting 4 sites (Stanford, UC Santa Barbara, UCLA, and U of Utah).

Transcription:

51-10-06 DATA COMMUNICATIONS MANAGEMENT VIRTUAL LANS Gilbert Held INSIDE Definition, Rationale, Support for Virtual Networking Requirements, Facilitating Adds, Moves, and Changes, Enhancing Network Performance, Enhancing Network Security, Implicit Tagging, Explicit Tagging INTRODUCTION This article discusses the rationale for virtual local area networks (VLANs), their construction methods, and emerging standards. Since it may be late 1997 or early 1998 when VLAN standards are agreed upon, readers may prefer to satisfy their virtual networking requirements using proprietary equipment. In doing so, this article will serve as a guide, as it covers basic construction techniques to include compatibility issues associated with attempting to construct a network using equipment from different vendors. DEFINITION A virtual LAN (VLAN) represents a logical broadcast domain established on a physical network topology. To illustrate the effect of this definition, the focus will be on an Ethernet switch. Exhibit 1 illustrates an eight-port Ethernet switch used to connect six workstations to two servers. In this example, the eight ports are labeled 0 through 7 and represent the eight physical ports built into the switch. Assume workstations connected to Ethernet switch ports 0 through 2 and 6 represent computers and a server that belong to the engineering department. Also assume that workstations connected to Ethernet switch ports 3 through 5 and 7 represent computers and a server that belong to the sales department. If the Ethernet switch is capable of supporting the creation of VLANs based on the physical port that devices are connected to, two virtual LANs could be constructed. The engineering depart- PAYOFF IDEA Imagine a virtual organization in which employees can be assigned to a project regardless of their geographical location and obtain the ability to easily communicate. Although this capability might have been a wish just a few years ago, today it is a reality due to the capability of a new communications technology known as virtual local area networking, or VLAN. 02/98 Auerbach Publications 1998 CRC Press LLC

EXHIBIT 1 Using An Ethernet Switch ment VLAN could be established to form a broadcast domain consisting of switch ports 0 through 2 and 6. In comparison, the sales department could have a VLAN established by logically grouping switch ports 3 through 5 and 7 into a broadcast domain. Exhibit 2 illustrates the logical establishment of the two virtual LANs on the physical topology of the eight-port Ethernet switch. In examining the two VLANs established in Exhibit 2, note that each represents a broadcast domain separate from the other. This separation can represent a problem if, for example, a workstation on one VLAN requires access to a server assigned to a different VLAN. Later in this article, interoperability issues will be examined when the different VLAN construction techniques are described. Rationale There are several key reasons that form the basis for organizations building virtual LANs. Those reasons include supporting the virtual networking requirements of an organization, facilitating adds, moves, and changes, enhancing network performance, and enhancing network security. Each of these reasons will be discussed briefly to obtain an appreciation for how the use of VLAN technology may be able to enhance an organization s networking operations.

EXHIBIT 2 Establishing VLANs Based on Switch Port Connection Support for Virtual Networking Requirements A virtual LAN represents a logically created broadcast domain. As such, it is not restricted to following the exact topology of a LAN. Instead, it must reside within the physical topology of a LAN. This means a VLAN can be constructed, modified, and deleted in tandem with the assignment of personnel to a project that requires communications support. In addition, the construction and modification of stations into a broadcast domain can correspond to the computers attached to LANs and used by employees assigned to a particular project. Thus, a VLAN can be used to support the virtual networking requirements of an organization. Facilitating Adds, Moves, and Changes A VLAN associates network nodes into a broadcast domain based on a predefined networking characteristic, such as a switch port. By adding, deleting, or modifying the characteristics used to define network nodes to a broadcast domain, one obtains the capability to add, modify, or delete members in the VLAN. Thus, a VLAN facilitates adds, moves, and changes.

Enhancing Network Performance Many upper-layer protocols use broadcast packets to advertise the presence of certain network devices. In doing so, such packets can flood a network as they are repeated by bridges onto other network segments, even if no device on the new segment requires the service of the device. For example, in a Novell NetWare environment, servers transmit a Service Advertising Protocol (SAP) Packet every 60 seconds. Since broadcast packets or frames originating on one VLAN do not normally flow onto other VLANs, the use of VLANs can improve performance as broadcast packets can be restricted to specific domains requiring knowledge of server offerings. Enhancing Network Security Although a VLAN is not a security device and does not provide such services as encryption, authentication, and verification, it can provide enhanced network security. The reason it can do so is due to the fact that transmissions are normally restricted to predefined broadcast domains. This means that only a member of the broadcast domain will normally receive a packet originated by another member of the VLAN domain. Conversely, this also can result in a network user that is not a member of the domain having an inability to receive packets sent on the domain. Thus, a common method used to breach security by the connection of a LAN monitor to read all network packets would not normally work if the user attempting to use the monitor was not a member of the VLAN. An exception to the use of VLANs to enhance network security is discussed later in this article. Construction Methods There are two basic methods used to construct VLANs implicit and explicit tagging. Implicit tagging results in the use of a characteristic or feature of the node connected to a LAN, such as the port on a switch through which a node connects to a network. Through the use of implicit tagging, the LAN frame remains unmodified. In comparison, explicit tagging results in the modification of a LAN frame as it flows through a switch or router, during which a field is added that defines the VLAN associated with a network node. Currently, most work in the area of explicit tagging is being performed by the Institute of Electrical and Electronic Engineers (IEEE) 802.1Q committee. That committee prepared a Project Authorization Request (PAR) in March 1996 that defined the general scope of the VLAN standardization effort. That effort is expected to be finalized in late 1997 or early 1998. In the interim, one can acquire equipment that uses implicit tagging or proprietary explicit tagging. Both techniques are examined in the following paragraphs.

Implicit Tagging There are three main methods of implicit tagging used to create VLANs, with each method corresponding to one of the three lower layers of the International Standards Organization Open System Interconnection (ISO) Reference Model. Those methods include the use of ports, MAC addresses, and protocols that correspond to the Physical Layer, Data Link Layer, and Network Layer, respectively. Inasmuch as the creation of VLANs via port assignments was previously examined, VLANs can also be created using MAC addresses and protocols. The use of MAC addresses to create VLANs provides more flexibility than the use of ports. This is because a segment-based switch would otherwise have to associate all nodes on a segment with a predefined VLAN when VLAN assignments occur based on associating a port connection to a virtual LAN. Exhibit 3 illustrates an eight-port switch that supports both VLAN creation via MAC addresses and segment switching. For simplicity, MAC addresses are shown as two hex digits instead of their IEEE 6-byte or 48-bit address. In examining Exhibit 3, note that only two segments are shown EXHIBIT 3 VLAN Creation Using MAC Addresses

populated segments A and B. Each of those segments has three workstations, with their MAC addresses shown as A1, A2, A3, and B1, B2, B3 for each segment. When a VLAN is created based on port use, all nodes on a segment are required to be assigned to the same VLAN. For example, if ports 0 and 6 were used to form a VLAN, then nodes with MAC addresses A1, A2, and A3, and server S1 would be assigned to the same broadcast domain. Suppose workstations with MAC addresses A1 and A2 were used by members of the engineering department, while workstations with MAC addresses A3, B1, B2, and B3 were used by members of the sales department. If the creation of VLANs was based on port use, one would have to physically move the workstation whose MAC address is A3 from segment A to segment B if one wanted to create two virtual LANs, each based upon the department the employee using the workstation was assigned to. In comparison, if VLAN creation is based upon a MAC address, one could assign workstations with MAC addresses A1 and A2 to one virtual LAN, while workstations with MAC addresses A3, B1, B2, and B3 could be assigned to the second virtual LAN. Note that this method of VLAN assignment alleviates the necessity to recable the workstation whose MAC address is A3. Although this is clearly advantageous, the use of MAC addresses on segments to establish virtual LANs negates one advantage of virtual LANs enhanced network security. By supporting the creation of VLANs based upon MAC addresses, the broadcast domain must be extended to the entire segment on which a particular MAC address resides. Thus, a packet associated with the VLAN formed by workstations A1 and A2 would be broadcast onto segment A. This means that, with appropriate equipment, the user at the workstation whose MAC address is A3 would be capable of reading packets on a different virtual LAN from the one he or she is assigned to. The third major method used to construct VLANs is based on the protocol used by network nodes. This is a very flexible approach to VLAN creation as it enables workstations and servers to belong to multiple VLANs. For example, returning to Exhibit 3, assume workstations whose MAC addresses are A1 and A2 use a TCP/IP protocol stack, while workstations whose MAC addresses are B1, B2, and B3 use a IPX/SPX protocol stack. Further assume that the workstation whose MAC address is A3 has dual TCP/IP and IPX/SPX protocol stacks. Then, if VLAN creation is based upon protocol used, the workstation whose MAC address is A3 can belong to both virtual LANs. Explicit Tagging Explicit tagging references the physical modification of a LAN frame as it flows through a networking device. That modification adds two or

EXHIBIT 4 Potential IEEE VLAN Tagging Models more fields into a LAN frame. Currently, the IEEE 802.1Q committee has proposed two models of VLAN tagging, referred to as a one-level model and a two-level model. Exhibit 4 illustrates the formats of the one-level and two-level models. Both models are shown for Ethernet and the proposed tagging formats differ for FDDI and Token Ring LANs, which are not illustrated. In the one-level model, the destination and source addresses from the original, untagged Ethernet frame are split apart from the remainder of the frame. Two new fields, labeled Ethertype and VLAN-ID, are inserted. The Ethertype field is used to identify the frame as a tagged packet, while the VLAN-ID field is used to identify the VLAN to which the packet is assigned. For the two-level model, the Virtual Destination and Virtual Source fields represent new addresses added to the frame that represent virtual addresses. The Ethertype field and VLAN-ID fields retain the same meanings as the level-one model; however, through the use of the level-two model, frames can be addressed explicitly. Currently, a large degree of effort remains in developing VLAN standards. For example, such questions as how explicit and implicit tagging methods can co-exist, or will even co-exist, remain to be determined. Another area that remains to be resolved is the effect of extended frames upon many communications products, such as bridges, repeaters, routers, and gateways. For example, the addition of a VLAN-ID field can result in an Ethernet frame carrying a maximum 1500-byte information field, having its total length exceed the maximum allowable Ethernet frame length. When this situation occurs, some communications devices that check frame lengths will treat such frames as errors. This can result in such frames being dropped and could result in session timeouts as the frames are repeatedly retransmitted and dropped prior to their arrival at

their intended destination. Thus, a considerable amount of effort remains prior to explicit tagging becoming a viable VLAN creation method. Interoperability Issues Today, one can acquire VLAN-capable switches and routers from more than 30 vendors. Unfortunately, the ability of a product from one vendor to interoperate with a product from another vendor with respect to their VLAN capability cannot be guaranteed. In fact, due to the lack of standards, one can only configure dissimilar equipment to operate together when implicit tagging is used. When doing so, one must restrict the method of implicit tagging to a common denominator supported by all products, and more than likely manually configure all equipment, as vendor equipment management capability may not be interoperable. Due to this, many organizations commonly acquire VLAN equipment from the same vendor. CONCLUSION Due to explicit tagging being several years away from possible standardization, most virtual LANs will continue to be developed using implicit tagging. This means organizations with immediate requirements to establish virtual LANs should focus their attention on equipment that has an implicit tagging capability. However, since organizations are always looking for methods by which they can economize on the purchase of equipment, network managers and administrators should ensure that the VLAN-capable switches and routers they purchase are software upgradeable. This means that microprocessor-based switches and routers should normally be considered, since such equipment is commonly upgradeable via a ROM change or PROM upgrade. In comparison, lower-cost products based upon the use of Application Specific Integrated Circuits (ASICs) cannot be upgraded. Thus, if an organization anticipates a requirement to obtain the support of explicit tagging once this method of VLAN creation is standardized, it should also consider acquiring upgradeable network devices, even if such devices initially are more costly. Gilbert Held is director of 4-Degree Consulting, a Macon, GA-based high-tech consulting group. He is an internationally recognized author and lecturer, having written more than 40 books and 300 technical articles. He earned a BSEE from Pennsylvania Military College, an MSEE from New York University, and MBA and MSTM degrees from The American University. He has been selected to represent the U.S. at technical conferences in Moscow and Jerusalem and has received numerous awards for excellence in technical writing.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback