Saturday, March 21, 2009

Virtual Local Area Network

Introduction
The purpose of this document is to provide a better understanding of Virtual Local Area Networks (VLANS) and their use in the Network 21 architecture. In the following sections, we will define a VLAN and describe its benefits as well as some limitations. We will explain why it is important for a LAN administrator to understand VLANs, and give some basic instructions to determine how many VLANs a department would typically need. Lastly, contact information will be provided for any additional questions you might have.

The main reasons for covering all of this is to further your understanding of the changes that will occur as part of Network 21 and to assist you in filling out the Network 21 Stage 3 Survey. Use of this information to determine a department’s VLAN needs will ease in the conversion process. If VLANs are well conceived in advance, the need to readdress devices and modify VLAN configurations more than once will not become an issue. This will save everyone involved a great deal of effort and minimize the amount of changes that will be needed following the initial conversion.
What is a VLAN?
To understand VLANs, it is first necessary to have an understanding of LANs. A Local Area Network (LAN) can generally be defined as a broadcast domain. Hubs, bridges or switches in the same physical segment or segments connect all end node devices. End nodes can communicate with each other without the need for a router.. Communications with devices on other LAN segments requires the use of a router.
Each LAN is separated from the other by a router. This represents the current UCDNet topology. The individual LANs and broadcast domains are represented by the areas bounded by the dotted lines and numbered 1 through 5 for future reference. Note that the router interface for each LAN is included as part of the LAN and broadcast domain.
As networks expand, more routers are needed to separate users into broadcast and collision domains and provide connectivity to other LANs.


One drawback to this design is that routers add latency which essentially delays the transmission of data. This is caused by the process involved in routing data from one LAN to another. A router must use more of the data packet to determine destinations and route the data to the appropriate end node.

Virtual LANs (VLANs) can be viewed as a group of devices on different physical LAN segments which can communicate with each other as if they were all on the same physical LAN segment. VLANs provide a number of benefits over the network described in Figure 1, which we will discuss in the next section. In order to take advantage of the benefits of VLANs, a different network topology is needed.

Using the same end nodes as the switched network in Figure 2 provides the same connectivity as Figure 1. Although the network above has some distinct speed and latency advantages over the network in Figure 1, it also has some serious drawbacks. The most notable of these for the purposes of this discussion is that all hosts (end nodes) are now in the same broadcast domain. This adds a significant amount of traffic to the network that is seen by all hosts on the network. As this network grows, the broadcast traffic has the potential impact of flooding the network and making it essentially unusable.

Switches using VLANs create the same division of the network into separate broadcast domains but do not have the latency problems of a router. Switches are also a more cost-effective solution. Figure 3 shows a switched network topology using VLANs.

Notice that the initial logical LAN topology from Figure 1 has been restored, with the major changes being the addition of Ethernet switches and the use of only one router. Notice also that the LAN identifiers appear on the single router interface. It is still necessary to use a router when moving between broadcast domains, and in this example, the router interface is a member of all of the VLANs. There are a number of ways to do this, and most are still proprietary and vendor-based.

By now you are probably wondering why someone would go to all this work to end up with what appears to be the same network (at least from a logical standpoint) as the original one. Consider Figure 4, where we begin to take advantage of some of the benefits of VLANs.
In the previous examples, LANs have been grouped with physical location being the primary concern. VLAN 1 has been built with traffic patterns in mind. All of the end devices in 1b, 1c, and 1d are primarily used for minicomputer access in 1a. Using VLANs, we are able to group these devices logically into a single broadcast domain. This allows us to confine broadcast traffic for this workgroup to just those devices that need to see it, and reduce traffic to the rest of the network. There is an increased connection speed due to the elimination of latency from router connections. An additional benefit of increased security could be realized if we made the decision to not allow access to the host from foreign networks, i.e., those that originate from another subnet beyond the router.

If we extend this thinking, we can now create a network that is independent of physical location and group users into logical workgroups. For instance, if a department has users in three different locations, they can now provide access to servers and printers as if they were all in the same building. This concept using the same end devices as in Figure 1 and logically grouped by function, traffic patterns, and workgroups.

VLAN 1 is a group of users whose primary function is to access a database on a minicomputer. VLAN 2 is a comprised of a similar group of users that require access to local servers and the mainframe. VLAN 3 is a department with servers and user workstations on different floors and in the case of the workstations in 3b, different buildings. VLANs 4 and 5 represent different departments with workstations and servers in single buildings.

One problem remains from the picture above. In a campus environment the size of UC Davis, it is difficult to scale the model above due to physical distances and sheer numbers.

Enter ATM and Network 21. The solution to these problems is to install ATM in the cloud and use something called LAN Emulation (LANE) to provide backbone services to the edge devices, or in this case, the Ethernet switches shown in Figure 5. Without going into detail, LAN Emulation over ATM provides the means to fully support existing LAN-based applications without changes. Advanced LAN Emulation software provides transparency to the underlying network's move to ATM. In addition, LANE provides the following benefits:

Higher capacity


Superior allocation and management of network capacity


Easier management of the constantly changing LAN membership


Access to multiple VLANs from the same physical interface


Ease of evolution to new applications.


VLANs in an ATM LANE environment. You’ll notice that nothing has changed at the edges of the network, and a little more detail has been added at the core.

We will not discuss ATM LANE in detail here. For the purpose of this discussion, the picture above shows a high level view of an ATM VLAN environment and closely mirrors the Network 21 architecture.

VLAN Benefits
As we have seen, there are several benefits to using VLANs. To summarize, VLAN architecture benefits include:
Increased performance


Improved manageability


Network tuning and simplification of software configurations


Physical topology independence


Increased security options.


Increased performance

Switched networks by nature will increase performance over shared media devices in use today, primarily by reducing the size of collision domains. Grouping users into logical networks will also increase performance by limiting broadcast traffic to users performing similar functions or within individual workgroups. Additionally, less traffic will need to be routed, and the latency added by routers will be reduced.

Improved manageability
VLANs provide an easy, flexible, less costly way to modify logical groups in changing environments. VLANs make large networks more manageable by allowing centralized configuration of devices located in physically diverse locations.

Network tuning and simplification of software configurations
VLANs will allow LAN administrators to "fine tune" their networks by logically grouping users. Software configurations can be made uniform across machines with the consolidation of a department’s resources into a single subnet. IP addresses and Subnet mask, and local network protocols will be more consistent across the entire VLAN. Fewer implementations of local server resources such as BOOTP and DHCP will be needed in this environment. These services can be more effectively deployed when they can span buildings within a VLAN.

Physical topology independence
VLANs provide independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain. If the physical infrastructure is already in place, it now becomes a simple matter to add ports in new locations to existing VLANs if a department expands or relocates. These assignments can take place in advance of the move, and it is then a simple matter to move devices with their existing configurations from one location to another. The old ports can then be "decommissioned" for future use, or reused by the department for new users on the VLAN.

Increased security options

VLANs have the ability to provide additional security not available in a shared media network environment. By nature, a switched network delivers frames only to the intended recipients, and broadcast frames only to other members of the VLAN. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location. In addition, monitoring of a port with a traffic analyzer will only view the traffic associated with that particular port, making discreet monitoring of network traffic more difficult.
It should be noted that the enhanced security that is mentioned above is not to be considered an absolute safeguard against security infringements. What this provides is additional safeguards against "casual" but unwelcome attempts to view network traffic.
VLAN Limitations
There are a few limitations to using VLANs, some of the more notable being:
Broadcast limitations


Device limitations


Port constraints


Broadcast limitations
In order to handle broadcast traffic in an ATM VLAN environment it is necessary to have a special server that is an integrated part of the ATM infrastructure. This server has limitations in the number of broadcasts that may be forwarded. Some network protocols that will be running within individual VLANs, such as IPX and AppleTalk, make extensive use of broadcast traffic. This has the potential of impacting thresholds on the switches or broadcast servers and may require special consideration when determining VLAN size and configuration.

Device limitations
The number of Ethernet addresses than can be supported by each edge device is 500. This represents a distribution of about 20 devices per Network 21 port. These numbers are actual technical limitations that could be further reduced due to performance requirements of attached devices.
These limitations are above the recommended levels for high performance networking. From a pure performance standpoint, the ideal end-user device to Network 21 port ratio would be one device per port. From a practical point of view, a single Network 21 port could be shared by a number of devices that do not require a great deal of bandwidth and belong to the same VLAN. An example of this would be a desktop computer, printer, and laptop computer for an individual user.

Port Constraints
If a departmental hub or switch is connected to a Network 21 port, every port on that hub must belong to the same VLAN. Hubs do not have the capability to provide VLANs to individual ports, and VLANs can not be extended beyond the edge device ports even if a switch capable of supporting VLANs is attached.
Preparation for VLANs
Here are answers to some questions that you might have with regards to the implementation of Network 21 and VLANs.

How many VLANs do I need?

The Network 21 Project can accomodate 300 - 400 VLANs. In the majority of cases a department should only need one VLAN. Given that there are 250 departments included in the project, departments should try to limit their VLANs to one or two. Each LAN Administrator will need to determine appropriate logical groups for their department. It is anticipated that most departments will obtain maximum benefits by consolidating the majority (if not all) of their users into a single large VLAN. Smaller VLANs would then be used if necessary to group together power users or those requiring special handling.

What VLAN information is required by the survey?
As part of the Network 21 Stage 3 survey you will be asked to identify both the number of VLANs your department requires and the individual NAMs that comprise each VLAN. A worksheet will be provided for each of these tasks. The Department VLAN Worksheet simply asks for the number (start with one and increment accordingly), a description or the purpose, the primary department owner, and the name of any other departments on the VLAN. The Department NAM Verification worksheet lists all of the department’s NAMs and their building and room number. You are asked to supply information as to which VLAN number (from the Department VLAN Worksheet) each NAM is to be connected to, and the number of devices served by that NAM. There are also check boxes to identify if any devices attached to each NAM are running AppleTalk, DECNET, or IPX. Detailed instructions and examples will be provided with the survey sheets to use for assistance in filling out these forms.
Glossary
ATM
Asynchronous Transfer Mode. International standard for cell relay in which multiple service types (such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells allow cell processing to occur in hardware, thereby reducing delay. ATM is designed to take advantage of high-speed transmission media.
Bridge
A device that connects and passes packets between two network segments that use the same communications protocol. Bridges operate at the data link layer (Layer 2) of the OSI reference model. In general, a bridge will filter, forward, or flood an incoming frame based on the MAC address of that frame.
BOOTP
Bootstrap Protocol. A protocol that is used by a network node to determine the IP address of its Ethernet interfaces, in order to effect network booting.
Broadcast Domain
The set of all devices that will receive broadcast frames originating from any device within the set. Broadcast domains can be bounded by VLANs in a stand-alone environment. In an internetworking environment, they are typically bounded by routers because routers do not forward broadcast frames.
Collision
In Ethernet, the result of two nodes that transmit simultaneously. The frames from each device impact and are damaged when they meet on the physical media.
Collision Domain
In Ethernet, the network area within which frames that have collided are propagated. Repeaters and hubs propagate collisions; LAN switches, bridges and routers do not.
CSMA/CD
Carrier Sense Multiple Access/Collision Detect. Media-access mechanism wherein devices ready to transmit data first check the channel for a carrier signal. If no carrier is sensed for a specific period, a device can transmit. A collision occurs if two devices transmit simultaneously, and the collision is detected by all colliding devices. This collision subsequently delays retransmissions from those devices for some random length of time. CSMA/CD access is used by Ethernet and IEEE 802.3.
DHCP
Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer needs them.
Edge Device
A physical device that is capable of forwarding packets between legacy interfaces (such as Ethernet and Token Ring) and ATM interfaces based on data-link and network layer information. An edge device does not participate in the running of any network layer routing protocol.
Ethernet
Baseband LAN specification invented by Xerox Corporation and developed jointly by Xerox, Intel, and Digital Equipment Corporation. Ethernet networks use CSMA/CD and run over a variety of cable types at 10 Mbps. Ethernet is similar to the IEEE 802.3 series of standards.
Fast Ethernet
Any of a number of 100-Mbps Ethernet specifications, Fast Ethernet offers a speed increase ten times that of the 10BaseT Ethernet specification, while preserving such qualities as frame format, MAC mechanisms, and MTU. Such similarities allow the use of existing Ethernet applications and network management tools on Fast Ethernet networks. Fast Ethernet is based on an extension to the IEEE 802.3 specification.
Frame
The logical grouping of information sent as a data link layer unit over a transmission medium. Often refers to the header and trailer, used for synchronization and error control, which surround the user data contained in the unit.
Hub
Generally, a device that serves as the center of a star-topology shared network. Also describes a hardware or software device that contains multiple independent but connected modules of network and internetwork equipment.
IEEE
Institute of Electrical and Electronics Engineers. The IEEE is a professional organization whose activities include the development of communications and network standards. IEEE LAN standards are the predominant LAN standards today.
IP
Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, security, and fragmentation and reassembly.
IP Address
32-bit address assigned to hosts using TCP/IP. An IP address belongs to one of five classes (A, B, C, D, or E) and is written as four octets separated by periods (dotted decimal format). Each address consists of a network number, an optional subnetwork number, and a host number. The network and subnetwork numbers together are used for routing, while the host number is used to address an individual host within the network or subnetwork. A subnet mask is used to extract network and subnetwork information from the IP address.
LAN
Local-Area Network. High-speed, low-error data network covering a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data link layers of the OSI model. Ethernet, FDDI, and Token Ring are widely used LAN technologies.
LANE
LAN emulation. Technology that allows an ATM network to function as a LAN backbone. The ATM network must provide multicast and broadcast support, address mapping (MAC-to-ATM), SVC management, and a usable packet format. LANE also defines Ethernet and Token Ring ELANs.
Latency
Delay between the time a device requests access to a network and the time it is granted permission to transmit. It is also the delay between the time when a device receives a frame and the time that frame is forwarded out the destination port.
Node
Endpoint of a network connection or a junction common to two or more lines in a network. Nodes can be processors, controllers, or workstations. Nodes, which vary in routing and other functional capabilities, can be interconnected by links, and serve as control points in the network. Node is sometimes used generically to refer to any entity that can access a network, and is frequently used interchangeably with device.
OSI Model
Open System Interconnection reference model. Network architectural model developed by ISO and ITU-T. The model consists of seven layers, each of which specifies particular network functions such as addressing, flow control, error control, encapsulation, and reliable message transfer. The lowest layer (the physical layer) is closest to the media technology. The lower two layers are implemented in hardware and software, while the upper five layers are implemented only in software. The highest layer (the application layer) is closest to the user. The OSI reference model is used universally as a method for teaching and understanding network functionality.
Packet
A logical grouping of information that includes a header containing control information and (usually) user data, packets are most often used to refer to network layer units of data.
Router
Network layer device that uses one or more metrics to determine the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on network layer information. Occasionally called a gateway (although this definition of gateway is becoming increasingly outdated).
Subnet
Subnetwork. In IP networks, a network sharing a particular subnet address. Subnetworks are networks arbitrarily segmented by a network administrator in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks.
Subnet Mask
32-bit address mask used in IP to indicate the bits of an IP address that are being used for the subnet address. The subnet mask is sometimes referred to simply as mask.
Switch
A network device that filters, forwards, and floods frames based on the destination address of each frame. The switch operates at the data link layer of the OSI model.
VLAN
Virtual LAN. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

No comments:

All