Tuesday, 28 January 2014

VLAN CONCEPT

By Raul Bernardino

Abstract:
Nowadays, the works force relocation, migration, moving staff from one location to other location in the same building to other buildings become huge challenges for Information Technology (IT) professionals to determine physical networking access to the institutional data source, especially for those organizations that have implemented networks segregation.

The aim of having network segregation is to secure the network and accessibility to the users. In the physical network access segmentation will be need a router to link other network segmentation in the organization. Therefore, it will be more cost to the organization to build multiple network segmentations.  As network will expand, more routers are needed to separate users into broadcast and collision domains and provide connectivity to the other Local Area Network (LAN).

The IT professionals overcome this challenge by using Virtual Local Area Network (VLAN). The VLAN becomes an effective solution for network segmentation.  It is manageable and scalable logical networking design and implementation.

Introduction:
The flexible VLAN implementation and configuration on logical side, becomes a manageable solution to any complex of the networks that is required segregation access in one broadcast domain. We can also modifying and changing the configuration at any time we need without have to invest an additional cost on to require devices.
Herewith, I will be describing what is VLAN’s, how its work and some benefits and its limitation of the logical configuration on physical components. Moreover, I will also describe other components that may require in any physical networks implementation.
VLAN:

Far before explain the VLAN, its necessary to understand LAN. In general, a LAN can be defined as a broadcast domain. Whereas, it is connecting all nodes in one physical segment such as by using a hub, bridges or switches. The local nodes are communication each other without having a router.  If we have two different LANs need to communicate then we do need a router.
As institution grows and creates new departments and need separation networks then we need more routers in to the broadcast domain in order to connecting those LANs to other LANs.

One difficulty in this designed is router latency. More routers in the broadcast domain will create more latency in the network. The data process from one LAN to the other LAN becomes delay. The router must use more data package to determine destinations and route the data to the proper destination or end of node.

Figure 1: General Network Routed

First of VLAN can be viewed as a group of devices on different network segment and communicate each other as they were all in the same physical LAN segment. VLANs will provide several benefits and will describe more intense in the following section. To maximize the advantages of the VLANs, a different network topology is needed.
By using the same end nodes and configuration layout in the figure 1 and just changed the routers to the switches, the connectivity speed and latencies are more advantages however, it also has serious drawback. The difference of this design layout is that all end nodes are in the same broadcast domain.  The most notable of this design is adding a significant amount of traffic in the network. That sees all hosts are in on the same network.  As this network grows, the broadcast traffic has the potential impact of flooding the network and making it essentially unusable.
Figure 2: General Network Switches


Based on the Figure 2 design the switches using VLANs will create the same division of the network in to separate broad cast domains however do not have the latency problems of the routers. The switches are also cost effective solution. Switches network topology using VLANs, notice the initial logical LAN topology from figure 1 has been restored however the changes being adding Ethernet switches and only put one router. Additionally, the LAN identifier appears on the single router interface. This single router interface is a member of all VLANs.  This is explained that there are numbers of ways of doing this and most are still proprietary and vendor based.

Figure 3: VLANS and Network Switches

Now you may wonder why someone would go to all this work and end up with same network (logical point of view) as original one. We begin to see the advantage of the VLANs.

Figure 4: VLAN grouping using traffic Pattern

In the previous example, the LAN is grouped with physical location being the primary concerns. In the figure 4, VLAN 1 has been built with traffic patterns in the mind. All the devices or end nodes in the VLAN 1b, 1c, and 1d are primarily used for minicomputer access 1a. By using VLANs, we are able grouping all end nodes logically in to a single broadcast domain. This situation will allow narrowing the broadcast traffic for the workgroup to just those devices that need to see it, and it reduces traffic to the rest of the network. These will overcome limitation of the speed and latency in the routers. Moreover, VLANs will increase the security could be realized if we decided to not allow foreign networks. IF we think more deeply, we can create a network that is independent of physical location and group users in to the logical workgroup. E.g. one department has users in three different locations, the can now provide same access to the specific servers and printers as if they are in the same building. This concept uses same end devices as Figure 1 and logically grouped based on functions, traffic patterns and workgroups. 

Figure 5: Logically grouping VLANs

The VLAN 1 is a group of users that has primary function is access a database on minicomputer. The VLAN 2 is comprised of similar group of the users that required to access local servers and the mainframe. The VLAN 3 is a department with servers and workstations on different location of floors (VLAN 3b). The VLAN 4 and 5 represent different department with servers and workstations on the same building. Although, this 

VLAN seems manageable however, there is still a problem remaining. In campus environment it will difficult to scale the model due to distance and employees numbers. Therefore, we need an Asynchronous Transfer Mode (ATM) to overcome the problems. We can install ATM in the cloud and use LAN Emulation (LANE) to provide backbone services to the Edge Devices. The advanced LANE software provides transparency to the underlying network's move to ATM. Moreover, LANE provides benefits as follows:
  1. Higher capacity
  2. Superior allocation and management of network capacity
  3. Easier management of the constantly changing LAN membership
  4. Access to multiple VLANs from the same physical interface
  5. Ease of evolution to new applications.
If we looked at figure: 6 below, it gives us a look at VLANs in an ATM LANE environment. You'll notice that nothing has changed at the edges of the network, and a little more detail has been added at the core.

Figure 6: VLANs with ATM backbone

We will not discuss ATM LANE in detail here. For the purpose of this discussion, the picture above shows a high level view of an ATM VLAN environment and closely mirrors of the Network 21 architecture.

VLAN Benefits:

As we have seen that there are several benefits of using VLANs. In summary the VLAN architecture benefits as follows:
  1. Increased performance
  2. Improved manageability
  3. Network tuning and simplification of software configurations
  4. Physical topology independence
  5. Increased security options
1.     Increased performance:
Switches in networks by the nature it will be increasing a network performance over shared media devices. It is primarily reducing the size of collision in the domains. By grouping users into the logical networks will be also increasing the performance and also limiting a broadcast traffic to users that is performing similar functions or within individual workgroups. Moreover, it is less traffic, it will need to be routed whereas the latency added at routers will be reduced.

2.     Improved manageability:
The VLANs provide an easy, flexible, less costly way to modify logical groups in changing environments. The VLANs make large networks more manageable by allowing centralized configuration of devices located in physically diverse locations.

3.     Network tuning and simplification of software configurations:
VLANs will allow LAN administrators to "fine tune" to logically grouping their users according to the function and departments. The software configurations can be made uniform across machines with the consolidation of a department's resources into a single subnet. The IP addresses, subnet masks, and local network protocols will be more consistent across the entire VLAN. Fewer implementations of local server resources such as BOOTP and DHCP will be needed in this environment. These services can be more effectively deployed when they can span buildings within a VLAN.

4.     Physical topology independence:
VLAN provides independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain. If the physical infrastructure is already in place, it now becomes a simple matter to add ports in new locations to existing VLANs if a department expands or relocates. These assignments can be taken place in advance of the moves, and it is then a simple matter to move devices with their existing configurations from one location to another. The old ports can then be "decommissioned" for future use, or reused by the department for new users on the VLAN.

5.     Increased security options:
VLAN has the ability to provide additional security not available in a shared media network environment. The nature is that a switched network delivers frames only to the intended recipients, and broadcast frames only to other members of the VLAN. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location. In addition, monitoring of a port with a traffic analyzer will only view the traffic associated with that particular port, making discreet monitoring of network traffic more difficult.

It should be noted that the enhanced security that is mentioned above is not to be considered an absolute safeguard against security infringements. What this provides is additional safeguards against "casual" but unwelcome attempts to view network traffic.

VLAN Limitations:

There are a few limitations to using VLANs, some of the more notable being:
  1. Broadcast limitations
  2. Device limitations
  3. Port constraints
1.     Broadcast limitations:
In order to handle broadcast traffic in an ATM VLAN environment, it is necessary to have a special server that is an integrated part of the ATM infrastructure. This server has limitations in the number of broadcasts, which may be forwarded. Some network protocols that will be running within individual VLANs, such as IPX and AppleTalk, make extensive use of broadcast traffic. This has the potential of impacting thresholds on the switches or broadcast servers and may require special consideration when determining VLAN size and configuration.

2.     Device limitations:
The number of Ethernet addresses than can be supported by each edge device is 500. This represents a distribution of about 20 devices per Network port. These numbers are actual technical limitations that could be further reduced due to performance requirements of attached devices.
These limitations are above the recommended levels for high performance networking. From a pure performance standpoint, the ideal end-user device to Network port ratio would be one device per port. From a practical point of view, a single Network port could be shared by a number of devices that do not require a great deal of bandwidth and belong to the same VLAN. An example of this would be a desktop computer, printer, and laptop computer for an individual user.

3.     Port Constraints:
If a departmental hub or switch is connected to a Network port, every port on that hub must belong to the same VLAN. Hubs do not have the capability to provide VLANs to individual ports, and VLANs cannot be extended beyond the edge device ports even if a switch capable of supporting VLANs is attached.

Preparing a VLAN:

Here are answers to some questions that you might have with regards to the implementation of Network and VLANs.

How many VLANs do I need?
The Network Project can accommodate 300 - 400 VLANs, especially Network 21. In the majority of cases a department should only need one VLAN. Given that there are 250 departments included in the project, departments should try to limit their VLANs to one or two. Each LAN Administrator will need to determine appropriate logical groups for their department. It is anticipated that most departments will obtain maximum benefits by consolidating the majority (if not all) of their users into a single large VLAN. Smaller VLANs would then be used if necessary to group together power users or those requiring special handling.

What VLAN information is required by the survey?
As part of the Network 21 Stage 3 survey you will be asked to identify both the number of VLANs your department requires and the individual NAMs that comprise each VLAN. A worksheet will be provided for each of these tasks. The Department VLAN Worksheet simply asks for the number (start with one and increment accordingly), a description or the purpose, the primary department owner, and the name of any other departments on the VLAN. The Department NAM Verification worksheet lists all of the department's NAMs and their building and room number. You are asked to supply information as to which VLAN number (from the Department VLAN Worksheet) each NAM is to be connected to, and the number of devices served by that NAM. There are also check boxes to identify if any devices attached to each NAM are running AppleTalk, DECNET, or IPX. Detailed instructions and examples will be provided with the survey sheets to use for assistance in filling out these forms.

Glossary:

ATM
Asynchronous Transfer Mode. International standard for cell relay in which multiple service types (such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells allow cell processing to occur in hardware, thereby reducing delay. ATM is designed to take advantage of high-speed transmission media.

Bridge
A device that connects and passes packets between two network segments that use the same communications protocol. Bridges operate at the data link layer (Layer 2) of the OSI reference model. In general, a bridge will filter, forward, or flood an incoming frame based on the MAC address of that frame.

BOOTP
Bootstrap Protocol. A protocol that is used by a network node to determine the IP address of its Ethernet interfaces, in order to effect network booting.

Broadcast Domain
The set of all devices that will receive broadcast frames originating from any device within the set. Broadcast domains can be bounded by VLANs in a stand-alone environment. In an internetworking environment, they are typically bounded by routers because routers do not forward broadcast frames.

Collision
In Ethernet, the result of two nodes that transmit simultaneously. The frames from each device impact and are damaged when they meet on the physical media.

Collision Domain
In Ethernet, the network area within which frames that have collided are propagated. Repeaters and hubs propagate collisions; LAN switches, bridges and routers do not.

CSMA/CD
Carrier Sense Multiple Access/Collision Detect. Media-access mechanism wherein devices ready to transmit data first check the channel for a carrier signal. If no carrier is sensed for a specific period, a device can transmit. A collision occurs if two devices transmit simultaneously, and the collision is detected by all colliding devices. This collision subsequently delays retransmissions from those devices for some random length of time. CSMA/CD access is used by Ethernet and IEEE 802.3.

DHCP
Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer needs them.

Edge Device
A physical device that is capable of forwarding packets between legacy interfaces (such as Ethernet and Token Ring) and ATM interfaces based on data-link and network layer information. An edge device does not participate in the running of any network layer routing protocol.

Ethernet
Baseband LAN specification invented by Xerox Corporation and developed jointly by Xerox, Intel, and Digital Equipment Corporation. Ethernet networks use CSMA/CD and run over a variety of cable types at 10 Mbps. Ethernet is similar to the IEEE 802.3 series of standards.

Fast Ethernet
Any of a number of 100-Mbps Ethernet specifications, Fast Ethernet offers a speed increase ten times that of the 10BaseT Ethernet specification, while preserving such qualities as frame format, MAC mechanisms, and MTU. Such similarities allow the use of existing Ethernet applications and network management tools on Fast Ethernet networks. Fast Ethernet is based on an extension to the IEEE 802.3 specification.

Frame
The logical grouping of information sent as a data link layer unit over a transmission medium. Often refers to the header and trailer, used for synchronization and error control, which surround the user data contained in the unit.

Hub
Generally, a device that serves as the center of a star-topology shared network. Also describes a hardware or software device that contains multiple independent but connected modules of network and internetwork equipment.

IEEE
Institute of Electrical and Electronics Engineers. The IEEE is a professional organization whose activities include the development of communications and network standards. IEEE LAN standards are the predominant LAN standards today.

IP
Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, security, and fragmentation and reassembly.

IP Address
32-bit address assigned to hosts using TCP/IP. An IP address belongs to one of five classes (A, B, C, D, or E) and is written as four octets separated by periods (dotted decimal format). Each address consists of a network number, an optional sub-network number, and a host number. The network and sub-network numbers together are used for routing, while the host number is used to address an individual host within the network or sub-network. A subnet mask is used to extract network and sub-network information from the IP address.

LAN
Local-Area Network. High-speed, low-error data network covering a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data link layers of the OSI model. Ethernet, FDDI, and Token Ring are widely used LAN technologies.

LANE
LAN emulation. Technology that allows an ATM network to function as a LAN backbone. The ATM network must provide multicast and broadcast support, address mapping (MAC-to-ATM), SVC management, and a usable packet format. LANE also defines Ethernet and Token Ring ELANs.

Latency
Delay between the time a device requests access to a network and the time it is granted permission to transmit. It is also the delay between the time when a device receives a frame and the time that frame is forwarded out the destination port.

Node
Endpoint of a network connection or a junction common to two or more lines in a network. Nodes can be processors, controllers, or workstations. Nodes, which vary in routing and other functional capabilities, can be interconnected by links, and serve as control points in the network. Node is sometimes used generically to refer to any entity that can access a network, and is frequently used interchangeably with device.

OSI Model
Open System Interconnection reference model. Network architectural model developed by ISO and ITU-T. The model consists of seven layers, each of which specifies particular network functions such as addressing, flow control, error control, encapsulation, and reliable message transfer. The lowest layer (the physical layer) is closest to the media technology. The lower two layers are implemented in hardware and software, while the upper five layers are implemented only in software. The highest layer (the application layer) is closest to the user. The OSI reference model is used universally as a method for teaching and understanding network functionality.

Packet
A logical grouping of information that includes a header containing control information and (usually) user data, packets are most often used to refer to network layer units of data.

Router
Network layer device that uses one or more metrics to determine the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on network layer information. Occasionally called a gateway (although this definition of gateway is becoming increasingly outdated).

Subnet
Sub-network. In IP networks, a network sharing a particular subnet address. Sub-networks are networks arbitrarily segmented by a network administrator in order to provide a multilevel, hierarchical routing structure while shielding the sub-network from the addressing complexity of attached networks.

Subnet Mask
32-bit address mask used in IP to indicate the bits of an IP address that are being used for the subnet address. The subnet mask is sometimes referred to simply as mask.

Switch
A network device that filters, forwards, and floods frames based on the destination address of each frame. The switch operates at the data link layer of the OSI model.

VLAN
Virtual LAN. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

Conclusion:
VLAN is a flexible logical network where it is easily optimizing the network accesses by grouping the users based on the functions, departments, and especially needs and requirements or it calls network segmentation. . VLAN is a logical configuration and easy to manage and scalable.

VLANs can also lowering cost of buying new routers to connect different sub-networks into one single broadcast domain. VLANs are based on software configuration in one single network infrastructure. VLANs are also adding a security on the networks.

Reference List:
·        Wikipedia (n:n), Asynchronous Transfer Mode,  [online]. Available from: http://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode (accessed: 27 January 2014)
·        Wikipedia (n:n), ATM (computer) ,  [online]. Available from: http://en.wikipedia.org/wiki/ATM_(computer)  (accessed: 27 January 2014)
·        VLAN Information (UC Davis, n:), [online]. Available from: http://net21.ucdavis.edu/newvlan.htm (accessed: 27 January 2014)