Friday, February 25, 2011


(Note that this is not an official Basic Draft article. It does not meet Basic Draft standards and will not be listed. If you've arrived through a search engine, please use the search function (top-left) to find a more suitable article).
A VLAN is a LAN that may span multiple physical segments. This means that it is not restricted to a single switch.

VLANs are used to segment a network based on function, team grouping and applications without worry about the physical location of the devices.

Configuration and reconfiguration of switches are done through software and physical intervention (such as moving a cable from switch to switch) is not necessary.

If you have a three departments of 4 computers each, and a 16 port switch, you can simply segment the switch into 3 VLANs to connect them instead of having to allocate three switches. Routing between the VLANs can be done as per normal through a router (i.e. Three different interfaces of a router, each belonging in a different VLAN) or through a trunk link (discussed later).

A VLAN is like a LAN, in that it is a separate broadcast domain itself. Each VLAN also corresponds to a subnet (or network).

Using a router can actually allow you to implement security features such as ACLs on the interfaces (or subinterfaces). In the seminar, up to 255 VLANs can be supported on each switch. Some switches in real-life, however, can use up to 4096 non-extended VLANs.

Every switch port would be in the default VLAN of 1 when it is first taken out. According to the seminar, the management VLAN must be 1 and an IP address must be configured on VLAN 1. However, this is not true. Besides, it is best practice to use another VLAN as the management VLAN. Also, the default VLAN (1) may not be deleted or renamed. According to the seminar, VTP messages are sent on VLAN 1 (covered later).

The switch maintains a separate bridging table for each port. Learning, forwarding and filtering is done only against the table allocated to the VLAN.

Each port can be assigned to a different VLAN, and ports assigned the same VLAN shares a broadcast domain. VLANs can be statically assigned to a port or assigned based on the MAC address of the connected device (this can be done through AAA or VPMS).

Static VLAN assignments will cause any device connected to the port to belong to that configured VLAN. Static VLANs are easily Administered via GUIs. Security is easily enforced and VLAN traffic leakage is uncommon. It is also easily controlled across the entire network. This is used when switch ports cannot be switched by users, a good software can be used to manage the ports, and when the overhead of administration of Dynamic VLAN outweighs the benefits.

Dynamic VLAN by MAC addresses adds flexibility at the expense of administrative overhead, performance and scalability.

Another type of VLANs not discussed is the Protocol Based VLAN. According to the seminar, it is the same as Dynamic VLAN except that it works based on IP and it is not common anymore due to DHCP. (I am not convinced.)

Advantages of VLANs:
-Less expensive than routers for broadcast segmentation
-Allows nodes to move logically rather than physically
-Improves security
-Able to segment a switch into multiple switches

Limitations of VLANs:
-May require extensive planning and design
-VLANs are proprietary, single vendor solutions (What? For VLANs to cross, one simply requires the switches to support 802.1Q. It's only the extra features that are proprietary. Where did they get this text from?)

When a VLAN is deleted, ports associated to that VLAN becomes inactive. The port remains associated with the deleted VLAN until assigned to a new VLAN.

No comments :

Post a Comment