Network essentials - Policing virtual traffic

Want to avoid routing bottlenecks? Then make the most of virtual Lans in switched networks. Here's how.

1 Virtual Lan (VLan) basics

ks? Then make the most of virtual Lans in switched networks. Here's how. Basically, a switched virtual Lan (VLan) is a broadcast domain that unites an arbitrary group of Lan segments at wire-speed. As with a physical Lan segment, broadcasts travel to all end-stations in a VLan. A VLan can include multiple physical Lan segments.

Because VLans bridge rather than route traffic destined for different segments within the same network, fewer routing bottlenecks arise. It also means that end-stations can be assigned to different VLans without having to configure the physical network.

2 VLans solve two problems

VLans should be seen as the solution to at least one of two problems:

- Containment of broadcast traffic to minimise dependence on routers.

- Reduction in the cost of moves, additions and changes.

In small organisations, in which broadcast traffic is not yet a problem and neither is the cost of moves, adds and changes are manageable, so there may be no need to bring in VLans. In larger, flatter networks, broadcast containment can be a problem. Another consideration is how far an organisation has moved to a one-user per switch port network design.

3 Types of VLan

VLan membership can be defined in several different ways. VLan solutions fall into seven generic types. Arranged in order from the simplest to the most complex, they are:

- Port-based

- Protocol-based

- MAC-layer grouping

- Network-layer grouping

- IP Multicast grouping

- Combination

- Policy-based.

4 Explore VLans with current switches

Take advantage of switch capabilities and network management to introduce VLans. Assign nodes to different VLans from the network management console. This will improve security and add interdepartmental firewalls (thus segmenting traffic) without the necessity of support routers. Switches may also have Layer 2 and Layer 3 forwarding capabilities, which also reduce the need for routers.

5 Multilayer switches in VLans

Since multilayer switches work at the network layer, they can support virtual Lans without needing to pass traffic to a separate router or request routing information from a route-server.

However, multilayer switches do not eliminate routers altogether, since they typically provide a subset of protocols, security, traffic management and Wan connectivity found in mid- and high-end routers.

6 Buying a VLan

The main rule of thumb in buying is that you don't go out to choose a VLan - you go out to buy switches, and the VLan that comes with them is the one you get. Just keep in mind these two recommendations when you go shopping:

- Buy all your switches from the same vendor if you want to run VLans;

- Buy for the strength of the switches, and not the VLan features.

7 Planning for VLans

When planning VLans, take care with any mixture of Layer 2 and Layer 3 structure so as to avoid broadcast loops and other anomalies. It is a very good idea at the planning stage to build in a lot of overcapacity, both to avoid having to add to the new structure piecemeal in the future, and to include the rapid growth that may ensue from having a much more efficient network.

8 VLans as a band-aid

Some consider VLans as a solution looking at a problem, which may account for their general scarcity. They may also be masking more fundamental problems. Ask yourself:

- For broadcast problems, should you not deal with them in a more fundamental manner? If this is a problem, find ways to limit the production of broadcast traffic.

- For security, shouldn't you introduce encryption between communicating parties rather than leave lots of vulnerable access points through using switches/VLans?

- For network management complexity, shouldn't proper business practices be preferred over giving network managers tools that cause them more, not less, work?

9 Deja-vu all over again

First, VLans are proprietary single-vendor solutions. Proprietary solutions run against the multivendor and open systems approach that organisations have developed in the migration to Lans and client/server architectures. Second, despite the numbers illustrating the hidden costs of networking, such as the costs of administration and changes, VLans - especially policy-based - have their own administrative costs, both direct and hidden.

With the marketing rhetoric about directory-based policy-based networking well embedded, it appears vendors have learnt nothing from their own history or experience. And users will walk away from them for the same reasons they walked away from implementing VLans.

10 Layer 2 versus Layer 3 VLans

Layer 2 VLans are simpler to configure than Layer 3 VLans. Because Layer 2 switches don't include routing software, they are cheaper than Layer 3 switches, but the need for routers in larger networks closes the overall price gap.

As Layer 2 switches bridge rather than route traffic, they are also faster.

And because they are protocol-independent, Layer 2 switches can handle non-routable protocols that Layer 3 switches cannot.

11 More overhead

Layer 2 switches that use either signalling or frame-tagging to create VLans incur an extra layer of overhead. In both cases, switches exchange VLan information over the Lan backbone - effectively reducing network capacity.

12 Performance penalties

The overhead introduced by VLans can devastate the throughput of a switch.

The throughput penalty is dependent on the switch hardware architecture and the way VLans are implemented on a switch. Layer 2 switches that create VLans from MAC addresses tend to offer high performance with low latencies.

13 Keep it simple

If simplicity and protocol independence are needed, go for Layer 2 VLans.

If high levels of traffic management and isolation are required, Layer 3 VLans are the best choice.

14 DHCP is VLan alternative

With Dynamic Host Configuration Protocol (DHCP), networks have an alternative for reducing the workload associated with administration of workstation IP addresses. DHCP actually conflicts with VLan implementation, particularly with Layer 3 IP-based VLans, and duplicates the effort of Layer 2 VLans.

This may explain why DHCP is more popular than VLans.

15 Implement VLans in the core

With Layer 3 switching in the distribution layer, it is possible to implement the backbone as a single logical network or multiple logical networks.

VLans can be used to create separate logical networks that can be used for different purposes.