VLAN TECHNOLOGY

SEMINAR- 2011

1. INTRODUCTION
A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same network switch. Network reconfiguration can be done through software instead of physically relocating devices. To physically replicate the functions of a VLAN, it would be necessary to install a separate, parallel collection of network cables and switches/hubs which are kept separate from the primary network. However unlike a physically separate network, VLANs must share bandwidth; two separate one-gigabit VLANs using a single one-gigabit interconnection can both suffer reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports, tagging frames when entering VLAN, lookup MAC table to switch/flood frames to trunk links, and untagging when exit from VLAN.)

[1] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

2.WHAT IS A VLAN?
Virtual LANs (VLANs) can be viewed as a group of devices on different physical LAN segments which can communicate with each other as if they were all on the same physical LAN segment. 2.1Switched Network with VLANs Switches using VLANs create the same division of the network into separate broadcast domains but do not have the latency problems of a router. Switches are also a more cost-effective solution. Figure 1.1 shows a switched network topology using VLANs.

Figure 1.1 - Switched Network with VLANs Ethernet switches and the use of only one router are features of switched network with VLANs. The LAN identifiers appear on the single router interface. It is necessary to use a router when moving between broadcast domains, and in this example, the router interface is a member of all of the VLANs. There are a number of ways to do this, and most are still proprietary and vendorbased.
[2] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

2.2 VLAN grouping using traffic patterns

Figure 1.2 - VLAN grouping using traffic patterns

In the previous example, LANs have been grouped with physical location being the primary concern. In Figure 1.2, VLAN 1 has been built with traffic patterns in mind. All of the end devices in 1b, 1c, and 1d are primarily used for minicomputer access in 1a. Using VLANs, it is able to group these devices logically into a single broadcast domain. This allows us to confine broadcast traffic for this workgroup to just those devices that need to see it, and reduce traffic to the rest of the network. There is an increased connection speed due to the elimination of latency from router connections. An additional benefit of increased security could be realized if the decision to not allow access to the host from foreign networks, i.e., those that originate from another subnet beyond the router is made.

[3] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

2.3 Logically grouped VLANs If we extend this thinking, a network that is independent of physical location and group users into logical workgroups can be created. For instance, if a department has users in three different locations, they can now provide access to servers and printers as if they were all in the same building. Figure 1.3 illustrates this concept logically grouped by function, traffic patterns, and workgroups. As in Figure 1.2, VLAN 1 is a group of users whose primary function is to access a database on a minicomputer. VLAN 2 is a comprised of a similar group of users that require access to local servers and the mainframe. VLAN 3 is a department with servers and user workstations on different floors and in the case of the workstations in 3b, different buildings. VLANs 4 and 5 represent different departments with workstations and servers in single buildings.

Figure 1.3 Logically grouped VLANs

2.4 VLANs with ATM backbone

One problem remains from the picture above. In a campus environment , it is difficult to scale the model above due to physical distances and sheer numbers. The solution to these problems is
[4] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

to install ATM inthe cloud and use something called LAN Emulation (LANE) to provide backbone services to the edge devices, or in this case, the Ethernet switches shown in Figure 1.3. Without going into detail, LAN Emulation over ATM provides the means to fully support existing LAN-based applications without changes. Advanced LAN Emulation software provides transparency to the underlying network's move to ATM. In addition, LANE provides the following benefits: *Higher capacity *Superior allocation and management of network capacity *Easier management of the constantly changing LAN membership *Access to multiple VLANs from the same physical interface *Ease of evolution to new applications.

Figure 1.4 - VLANs with ATM backbone

3.VLAN MEMBERSHIPS AND IMPLEMENTATION

[5] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

There are several ways in which VLAN membership can be defined.VLAN solutions are divided into four general types: * Port grouping *MAC-layer grouping * Network-layer grouping *IP Multicast grouping 3.1Port grouping Many initial VLAN implementations defined VLAN membership by groups of switch ports (for example, ports 1, 2, 3, 7, and 8 on a switch make up VLAN A, while ports 4, 5, and 6 make up VLAN B). Furthermore, in most initial implementations, VLANs could only be supported on a single switch. Second-generation implementations support VLANs that span multiple switches (for example, ports 1 and 2 of switch #1 and ports 4, 5, 6, and 7 of switch #2 make up VLAN A; while ports 3, 4, 5, 6, 7, and 8 of switch #1 combined with ports 1, 2, 3, and 8 of switch #2 make up VLAN B). 3.2 MAC-layer grouping Since MAC-layer addresses are hard-wired into the workstations network interface card (NIC), VLANs based on MAC addresses enable network managers to move a workstation to a different physical location on the network and have that work- station automatically retain its VLAN membership. In this way, a VLAN defined by MAC address can be thought of as a user-based VLAN.One of the drawbacks of MAC addressbased VLAN solutions is the require- ment that all users must initially be configured to be in at least one VLAN. 3.3 Network-layer grouping VLANs based on layer 3 information take into account protocol type (if multiple protocols are supported) or network-layer address (for example, subnet address for TCP/IP networks) in determining VLAN membership. Although these VLANs are based on layer 3 infor- mation, this does not constitute a routing function.Even though a switch inspects a packets IP address to determine VLAN membership, no route calculation is undertaken. 3.4 IP Multicast grouping When an IP packet is sent via multicast, it is sent to an address that is a proxy for an explicitly defined group of IP addresses that is established dynamically. Each workstation is given the opportunity to join a particular IP multicast group by responding affirmatively to a broadcast notification, which signals that groups existence. All workstations that join an IP multicast group can be seen as members of the same virtual LAN.

4. SECURITY THREAT
[6] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

4.1 Private VLAN attack Private VLANs are used to isolated traffic in specificcommunities, to create distinct networks within a normal VLAN. Someapplications require that no traffic is forwarded by the Layer 2 protocol betweeninterfaces on the same switch. In such an environment, there is no exchange of traffic between interfaces on the switch, andtraffic between interfaces on the same switch is forwarded through a Layer 3device such as a router. The attacker sends a frame with a rogue MAC address (the one of the Layer 3 device) but with the IP address of the victim. Thus the router will forward the packet to the victim. Intended PVLAN security is bypassed. With this attack, the attacker can only send packets, and not receive them.

Figure 1.5 Before attack

Figure 1.6 After attack

5.PROTOCOL
[7] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

5.1 Protocol
The protocol most commonly used today in configuring virtual LANs is IEEE 802.1Q.

Fig 1.7 IEEE 802.1Q Header

5.1.1 TPID - Tag Protocol Identifier TPID field is 16 bit long with a value of 0x810.It identifies the frame as IEEE 802.1q tagged frame. 5.1.2 TCI (Tag Control Information) (a) Priority field It is a 3 bit field used for prioritization of data this frame is carrying. (b) Canonical Format Indicator (CFI) It is 1 bit long.If set to 1 then MAC address is in non canonical format and if set to 0 it is in canonical format. (c) VLAN Identifier It helps to identify which LAN the frame belongs to.

6. USES

[8] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain. This is also useful if someone wants to create multiple Layer 3 networks on the same Layer 2 switch. For example, if a DHCP server (which will broadcast its presence) is plugged into a switch it will serve any host on that switch that is configured to get its IP from a DHCP server. By using VLANs you can easily split the network up so some hosts won't use that DHCP server and will obtain link-local addresses, or obtain an address from a different DHCP server. Virtual LANs are essentially Layer 2 constructs, compared with IP subnets which are Layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs. Virtual LANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process. By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.

7. ADVANTAGES
[9] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

VLAN architecture benefits include: *Increased performance *Improved manageability *Network tuning and simplification of software configurations *Physical topology independence *Increased security options 7.1 Increased performance Switched networks by nature will increase performance over shared media devices in use today, primarily by reducing the size of collision domains. Grouping users into logical networks will also increase performance by limiting broadcast traffic to users performing similar functions or within individual workgroups. Additionally, less traffic will need to be routed, and the latency added by routers will be reduced. 7.2 Improved manageability VLANs provide an easy, flexible, less costly way to modify logical groups in changing environments. VLANs make large networks more manageable by allowing centralized configuration of devices located in physically diverse locations. 7.3 Network tuning and simplification of software configurations VLANs will allow LAN administrators to "fine tune" their networks by logically grouping users. Software configurations can be made uniform across machines with the consolidation of a department's resources into a single subnet. IP addresses, subnet masks, and local network protocols will be more consistent across the entire VLAN. Fewer implementations of local server resources such as BOOTP and DHCP will be needed in this environment. These services can be more effectively deployed when they can span buildings within a VLAN. 7.4 Physical topology independence VLANs provide independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain. If the physical infrastructure is already in place, it now becomes a simple matter to add ports in new locations to existing VLANs if a department expands or relocates. These assignments can take place in advance of the move, and it is then a simple matter to move devices with their existing configurations from one location to another. The old ports can then be "decommissioned" for future use, or reused by the department for new users on the VLAN.

7.5 Increased security options

[10] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

VLANs have the ability to provide additional security not available in a shared media network environment. By nature, a switched network delivers frames only to the intended recipients, and broadcast frames only to other members of the VLAN. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location. In addition, monitoring of a port with a traffic analyzer will only view the traffic associated with that particular port, making discreet monitoring of network traffic more difficult. It should be noted that the enhanced security that is mentioned above is not to be considered an absolute safeguard against security infringements. What this provides is additional safeguards against "casual" but unwelcome attempts to view network traffic.

8. DISADVANTAGES

[11] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

There are a few limitations to using VLANs, some of the more notable being: *Broadcast limitations *Device limitations *Port constraints 8.1 Broadcast limitations In order to handle broadcast traffic in an ATM VLAN environment it is necessary to have a special server that is an integrated part of the ATM infrastructure. This server has limitations in the number of broadcasts that may be forwarded. Some network protocols that will be running within individual VLANs, such as IPX and AppleTalk, make extensive use of broadcast traffic. This has the potential of impacting thresholds on the switches or broadcast servers and may require special consideration when determining VLAN size and configuration. 8.2 Device limitations The number of Ethernet addresses than can be supported by each edge device is 500. This represents a distribution of about 20 devices per Network 21 port. These numbers are actual technical limitations that could be further reduced due to performance requirements of attached devices. These limitations are above the recommended levels for high performance networking. From a pure performance standpoint, the ideal end-user device to Network 21 port ratio would be one device per port. From a practical point of view, a single Network 21 port could be shared by a number of devices that do not require a great deal of bandwidth and belong to the same VLAN. An example of this would be a desktop computer, printer, and laptop computer for an individual user. 8.3 Port Constraints If a departmental hub or switch is connected to a Network 21 port, every port on that hub must belong to the same VLAN. Hubs do not have the capability to provide VLANs to individual ports, and VLANs can not be extended beyond the edge device ports even if a switch capable of supporting VLANs is attached.

[12] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

9.

CONCLUSION

The concept of service-based VLAN technology holds the potential for harmonizing many of todays organizational and managerial changes with the structural and technological developments in the network. Despite the promise of this vision, VLAN implementation must solve real-world problems in order to be financially justified. Organizations that have deployed or are planning to deploy large numbers of switch ports, dividing the network into smaller segments to increase bandwidth per user, can make a very strong case for VLAN implementation in order to contain broadcasts. However, any organization that expends substantial resources dealing with moves and changes in the network may also be able to justify VLAN implementation. This is simply because VLANs, if implemented as part of a strategic solution, may be able to substantially reduce the cost of dealing with moves and changes. For these organizations, the switching infrastructure upon which most VLAN solutions are based can be seen as an added, and quite valuable benefit.

10.REFERENCES
[13] DEPT OF MACS SACA NITK SURATKAL

VLAN TECHNOLOGY

SEMINAR- 2011

WEBSITES

[1] Wikipedia.wikipedia.org/wiki/Virtual_LAN( JAN 25 2011) [2]University of California.net21.ucdavis.edu/newvlan.htm( JAN 27 2011) [3]http://www.3com.com/other/pdfs/solutions/en_US/20037401.pdf (JAN 28 2011)
BOOKS

[1]"Computer Networks"(2003), Andrew S. Tanenbaum, , Pearson Education International, New Jersey.

[14] DEPT OF MACS SACA NITK SURATKAL