1

CSCD 433Network ProgrammingFall 2011

Lecture 5VLAN's

Topics

• Review of Broadcast and Collision Domains

• VLAN's• Background• Relationship to Broadcast Domains• Creating, operation • Tagging

2

Unicast, Multicast, Broadcast• Unicast

• Unicast separate transmission stream from source to destination for each recipient, example - HTTP

• Multicast• Traffic sent to multiple recipients at same time

using one transmission stream to switches, at which point data are distributed out to end users on separate lines, example – IPTV

• Broadcast• Traffic sent out to every node on network or a

portion of the network (LAN segment)• Broadcasts issued for address resolution when

location of user or server is not known, example – DHCP uses broadcast for IP management

4

Collision Domain• What is a collision domain?• Collisions occur on Ethernet networks when ...

• Multiple nodes on a 'network' put a signal on wire at exactly same time

• Collide with each other

• When more collisions occur, stations will have to wait longer before they can transmit data• Decreases performance for all nodes in same

collision domain• Networks can be separated into multiple

collision domains by using LAN components 5

Collision Domains Should Be Small

The packets sent by the hosts on the same collision domain may collide with each other.

12- 6

Broadcast Domain - Definition

• What is a broadcast domain?• All devices in same broadcast domain will

receive broadcast frames originating from any other device within domain• Broadcast frames are explicitly directed to all

nodes in same network

• Broadcast domains are essentially Layer 2 segments, which can be extended or separated by using appropriate network components

7

Ethernet Hub Configuration

8

Hub creates a collision domain of all the machines connected

Ethernet LAN with Switch and Hub

• Switches separate individual computers into their own collision domain

• Broadcast domain all computers connected via a switch• Unless configured otherwise

9

Broadcast Traffic

• You may think not much traffic is broadcast• But you would be wrong!!!

• Which protocols?• ARP, DHCP, IPX, AppleTalk, Windows

NetBIOS/SMB• Broadcast "service" advertisements to identify

servers and the resources (files, printers, directories) they maintain

• Article below advocates using Wireshark to examine broadcast traffic in a LAN

http://www.corecom.com/external/livesecurity/

broadcasttraffic.htm

How much Traffic is Broadcast?

• Nodes on network use broadcast packets to verify certain means of communication, advertise available services and relay routing information about remote networks which are accessible.

12

Need for VLANs

13

Evolution Toward Virtual LANs• Olden Days…

• Thick cables snaked through cable ducts in buildings

• Every computer they passed was plugged in• All people in adjacent offices were put on the

same LAN• Independent of whether they belonged together

or not

• More recently…• Hubs and switches changed all that• Every office connected to central wiring closets• Often multiple LANs (k hubs) connected by

switches• Flexibility in mapping offices to different LANs

Group users based on organizational structure, rather than the physical layout of the building.

Need for Virtual LANS

• Also, the topology that was created by stacking hubs and switches was considered “flat” ...

15

If one switch is good…

16

More is better

17

And More..

18

And More !

19

What is the problem with a flat topology?

20

Broadcast Domain

21

Broadcast Domain

22

Broadcast Domain

23

VLAN's Will Create “Groups”

• One way to separate a flat, largish

network of switches, use VLAN's

• What's a VLAN?

What is a VLAN?

• What exactly is a VLAN?• A virtual local area network (VLAN) is a

group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain regardless of their physical location

24

25

People Move, and Roles Change• Organizational changes are frequent

• Faculty office becomes a grad-student office• Graduate student becomes a faculty

member

• Physical rewiring is a major pain• Requires unplugging the cable from one

port• … and plugging it into another• … and hoping the cable is long enough to

reach• … and hoping you don’t make a mistake

• Would like to “rewire” the building in software• Came up with concept ... Virtual LAN (VLAN)

26

Why Group by Organizational Structure?

• Security• Ethernet is a shared media• Any interface card can be put into “promiscuous”

mode• So, isolating traffic on separate LANs improves

security

• Load• Some LAN segments are more heavily used than

others• E.g., researchers running experiments get out of

hand• … can saturate their own segment and not others• Plus, there may be natural locality of

communication• E.g., traffic between people in the same research

group

Traditional LAN

• Traditional LAN requires all users of Same requirements, Same IP subnet be

connected to• Same equipment• Notice each

switch connected to router is in its own broadcast domain

27

VLAN-based LAN

• By utilizing VLANs, same users can be spread out over various geographical locations and still remain in their same IP subnet

28

Virtual Local Area Networks (VLAN)

• An example of a large network with VLANs• Office building with a switch on each of the

three floors • A main switch connects them all • An administrator would be able to

maintain a list of MAC addresses, assign stations from different floors to a single VLAN, and create a VLAN for each department in the company

• Switches can share their MAC address table information with other switches so path to a destination can be quickly found

29

30

VLAN Introduction

• VLANs are created to provide segmentation services traditionally provided by physical routers in LAN configurations

• VLANs address scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, and traffic flow management.

• Switches may not bridge any traffic between VLANs, as this would violate the integrity of the VLAN broadcast domain

• Traffic should only be routed between VLANs

.

How VLANs Work?• VLANs are identified by a number

• Valid ranges 1-4094

• On a VLAN-capable switch, you assign ports with the appropriate VLAN number

• The switch only allows data to be sent between ports with same VLAN

• Communication between VLANs is accomplished through routing• Security and filtering functions of the

router can be used

31

32

VLANs

• By creating three VLANs on this switch, this switch

has essentially become three separate switches

• The green, blue, and yellow switch ports are

isolated from each other because the switch

maintains a separate bridging table for each VLAN

vlan 3vlan 2vlan 1

33

VLAN-Capable Switches

• The switch maintains a separate bridging table for each VLAN.

• If frame comes in on a port in VLAN 1, switch searches the bridging table for VLAN 1

• When frame is received, switch adds source address to bridging table if it is currently unknown

• Destination is checked so a forwarding decision can be made

• For learning and forwarding, search is made against address table for that VLAN only

How does a VLAN capable switch function?

34

No VLANs Sam e as a s ingle VLAN Two Subnets

Sw itch 1172.30.1.21

255.255.255.0

172.30.2.10255.255.255.0

172.30.1.23255.255.255.0

172.30.2.12255.255.255.0

• Without VLANs, ARP Request would be seen by all hosts.

• Again, consuming unnecessary network bandwidth and host processing cycles.

ARP Request

Without VLANs – No Broadcast Control

35

Two VLANs· VLAN 1 and

VLAN 2· Two Subnets

Switch 1172.30.1.21

255.255.255.0VLAN 1

172.30.2.10255.255.255.0

VLAN 2

172.30.1.23255.255.255.0

VLAN 1

172.30.2.12255.255.255.0

VLAN 2

Switch Port: VLAN IDARP Request

With VLANs – Broadcast Control

1 2 3 4 5 6 .1 2 1 2 2 1 .

PortVLAN

36

Two VLANs· One subnet

Switch 1172.30.1.21

255.255.255.0VLAN 1

172.30.1.10255.255.255.0

VLAN 2

172.30.1.23255.255.255.0

VLAN 1

172.30.1.12255.255.255.0

VLAN 2

Switch Port: VLAN ID

The Implications of Creating VLANs

1 2 3 4 5 6 .1 2 1 2 2 1 .

PortVLAN

Can host 172.30.1.21 communicate with host 172.30.1.10 ?

37

Two VLANs· One subnet

Switch 1172.30.1.21

255.255.255.0VLAN 1

172.30.1.10255.255.255.0

VLAN 2

172.30.1.23255.255.255.0

VLAN 1

172.30.1.12255.255.255.0

VLAN 2

Switch Port: VLAN ID

With VLANs

1 2 3 4 5 6 .1 2 1 2 2 1 .

PortVLAN

Host 172.30.1.21 cannot communicate with host 172.30.1.10

Although all devices are on the same subnet, the switch has isolated the hosts in VLAN 1 from the hosts in VLAN 2

This is fine if you don’t want any communication between VLAN 1 hosts and VLAN 2 hosts

Benefits of VLAN's

• What are some benefits of VLAN's?

Benefits of VLANs• Logically separate users on same IP subnet • Improve Performance

• Limit size of broadcast domains and limit broadcast activity

• Security benefits• Keep hosts separate by VLAN and limit devices that can talk to those hosts• Can bump up security of a single group

39

Benefits of VLANs

• Cost savings• You don’t need additional hardware and cabling• Operational benefits because changing a user’s IP subnet (Broadcast Domain) is in software

40

References

Vlans - Orbit Computer Solutionshttp://www.orbit-computer-solutions.com/VLAN-and-

Trunking.php

VLAN Tagginghttp://www.firewall.cx/networking-topics/vlan-

networks/219-vlan-tagging.html

Example of “Router on a Stick”http://www.orbit-computer-solutions.com/Router-on-

a-stick-InterVLAN-Routing.php

Summary

• VLAN's provide efficient way to divide collision domains

• They allow flexible method of grouping people into virtual networks

• Allow easier management of switched networks

43

• New Assignment will be up ...• Some problems from the Book