Overview
Many terms, features, and technologies are thrown at new networking students. It is common to feel overwhelmed when learning these concepts, which seem complex and foreign to people who have no previous experience in the field. This confusion is compounded by the fact that many of these technologies overlap into each other. An example of this overlap is the concept of a virtual LAN (VLAN). Since it is common to begin by learning about physical LANs, students can become confused if instructors attempt to teach VLAN concepts without first establishing a solid understanding of the physical concepts.
If your understanding of physical LAN concepts is not completely solid, review those concepts thoroughly before reading this article. We will examine how virtual LAN concepts tie in with physical LAN device functionalities, which assumes that you thoroughly understand those physical LAN concepts. Let’s get started.
Differences Between Physical and Virtual LANs
It is important to understand that a VLAN does not create new devices or attempt to virtually represent new devices. A lot of attention is currently focused on virtualization and the abstraction of services; however, for the purposes of this discussion, we will ignore those technologies and how they operate.
The purpose of a VLAN is simple: It removes the limitation of physically switched LANs with all devices automatically connected to each other. With a VLAN, it is possible to have hosts that are connected together on the same physical LAN but not allowed to communicate directly. This restriction gives us the ability to organize a network without requiring that the physical LAN mirror the logical connection requirements of any specific organization.
To make this concept a bit clearer, let’s use the analogy of a telephone system. Imagine that a company has 500 employees, each with his or her own telephone and dedicated phone number. If the telephones are connected like a traditional residential phone system, anyone has the ability to call any direct phone number within the company, regardless of whether that employee needs to receive direct business phone calls. This arrangement presents a number of problems, from potential wrong number calls to prank or malicious calls that are intended to reduce the organization’s productivity.
Now suppose a more efficient and secure option is offered, allowing the business to install and configure a separate internal phone system. This phone system forces external calls to go through a separate switchboard or operator—in a more modern phone network, an Integrated Voice Response (IVR) system. This new phone system lets internal users connect directly to each other via extensions (typically using shorter numbers), while it limits what the internal user’s phones can do and where/who the user can call. This internal phone system allows the organization to virtually separate the internal phones. This is essentially what a VLAN does on a network.
To take this analogy into the networking world, consider the network shown in Figure 1.
Figure 1 Basic switched network.
Suppose that hosts A and B are together in one department, and hosts C and D are together in another department. With physical LANs, they could be connected in only two ways: either all of the devices are connected together on the same LAN (hoping that the users of the other department hosts will not attempt to communicate), or each of the department hosts could be connected together on separate physical switches. Neither of these is a good solution. The first option opens up many potential security holes, and the second option would become expensive very quickly.
To solve this sort of problem, the concept of a VLAN was developed. With a VLAN, each port on a switch can be configured into a specific VLAN, and then the switch will only allow devices that are configured into the same VLAN to communicate. Using the network in Figure 1, if A and B were grouped together and separated from the C and D group, you could place A and B into VLAN 10 and C and D into VLAN 20. This way, their traffic would be kept isolated on the switch. In this configuration, the traffic between groups would be prevented at Layer 2 because of the difference in assigned VLANs.
Complexities of Virtual LANs
As in many other technologies, virtual LANs include a caveat; however, the VLAN caveat is also an advantage: While a VLAN allows hosts to be virtually separated at Layer 2, it doesn’t provide a mechanism for communicating between VLANs. To return to our earlier telephone system analogy, sometimes phones in an isolated part of an organization must communicate with other, non-isolated phones. Typically with phone systems this requirement means dialing a specific prefix to call “outside” that isolated part of the phone network; for example, we’re told “Dial 9 to get an outside line.”
With networks that use VLANs, the only way to communicate with other devices in different VLANs is to bring in a Layer 3 device (a router or Layer 3 switch); this device is configured to allow communications between the devices in different VLANs. This device’s Layer 3 (and above) features might be configured to limit the amount and types of traffic allowed between devices. This type of connection can be implemented in a few different ways: using a router that has an interface connected per VLAN on the switch, using a router along with switch trunking capabilities (IEEE 802.1Q), or using a Layer 3-capable switch for multi-layer switching (MLS). We’ll address these connection types in more detail in a future article.
Summary
As long as your understanding of physical LAN principles was solid before reading this article, you should now have a good idea of what VLANs are and how greatly they affect how a network is designed and implemented. The VLAN’s implementation opens a number of doors in terms of the flexibility of a network’s design. Virtual networks will be implemented even more frequently in the next few years, as network design changes with newer technologies, making understanding their operation even more important.
Post a Comment