Read an Excerpt

Chapter 4: Virtual LANs

With a growing number of users on a network comes the challenges of management, so it is not surprising that virtual local-area networks (VLANs) have become a popular feature of switches. VLANs ease the administrative duties of the network engineer. A VLAN gives an administrator the ability to remove the physical restrictions of the past and control a user's Layer 3 network address regardless of his or her physical location.

Other advantages of VLANs include enhanced security features, easier-to-control broadcasts, and the ability to distribute traffic. Cisco Catalyst switches have the ability to perform numerous functions to enhance and ease the implementation of VLANs.

The use of trunking allows a VLAN to span multiple switches that can be separated by small or large areas. Cisco also has implemented the trunking feature in many of its routing products, resulting in many helpful and interesting network designs.

VLAN Defined

A VLAN can be defined in two words — broadcast domain. VLANs are broadcast domains, and as we learned in Chapter 1, a broadcast domain is a Layer 3 network. A switch defines a VLAN, and the switch's ports will have membership in one of the defined VLANs. For example, in Figure 4-1, a switch has ports defined in two VLANs, Accounting and Management.

Ports 1 through 12 have been assigned to the Accounting VLAN, and ports 13 through 24 have been assigned to the Management VLAN. The switch will not allow broadcasts to flow between VLANs, thus logically segmenting the network (Figure 4-2).

If workstation A were to send a broadcast, all stations on the Accounting VLAN would receive it. However, theswitch would not forward the broadcast to any of the Management VLAN ports. In fact, a switch would not forward a frame from one VLAN to another unless it was a multilayer switch, which will be discussed later. Some of you may still be thinking about Chapter 1 when I said, "A router is the only device that can logically segment." Technically, this is incorrect. A switch can logically segment, but in the real world it is ludicrous to use a switch without a router as a device to logically segment because traffic will never be allowed to pass between VLANs. This is a very unlikely scenario and is pointless to discuss.

The workstations in the Accounting VLAN will be in a completely different broadcast domain from the Management VLAN's users and therefore will be in an entirely different IP subnet, IPX network, and Appletalk cable-range. In Figure 4-3, the Accounting WAN is assigned the IP subnet 172.16.10.0/24, the IPX Network 10, and the Appletalk cable-range 10-10. The Management VLAN is assigned the IP subnet 172.16.20.0/24, the IPX network 20, and the Appletalk cable-range 2020. Traffic from one VLAN will have no effect on the other, regardless of their physical locations on the floor.

Cisco's implementation of VLANs is port-centric. The port to which a node is connected will define the VLAN in which it resides. How a port gets assigned to a VLAN can vary with Cisco Catalyst switches. There are two methods of assigning ports to VLANs, static and dynamic.

Static VLANs

The static VLAN procedure is to administratively assign a port to a VLAN. An engineer determines which ports he or she would like on a particular VLAN and statically maps that VLAN to a port. For example, in Figure 4-1, the Accounting VLAN is defined to be any node connected to ports 1 through 12. An engineer would enter the appropriate commands, either from the command line interface (CLI) of the switch, an SNMP management station, or Cisco's software management tool CiscoWorks for Switched Internetworks (CWSI) to assign ports 1 through 12 to the Accounting VLAN. This method can be very time-consuming because the engineer has to manually enter the commands necessary to map the ports to their appropriate VLANs. However, it is the most common method of assigning a port to a VLAN.

Dynamic VLANs

A dynamic VLAN exists when a port decides what VLAN it belongs in for itself. No, this is not The Terminator or The Forbin Project becoming nonfiction; rather, it is a simple mapping that occurs based on a database created by an engineer. When a port that is assigned to be a dynamic VLAN port becomes active, the switch caches the source MAC address of the first frame (Figure 4-4).

It then makes a request to an external server called a VLAN management policy server (VMPS) that contains a text file with MAC addresses to VLAN mappings. The switch will download this file and examine it for the source MAC address it has cached for the port in question. If the MAC address is found in the table, the port will be assigned to the listed VLAN. If the MAC address is not in the table, the switch will use the default VLAN, if defined. In the event that the DAAC address is not listed in the table and there is no default VLAN, the port will not become active. This can be a very good method of security.<> Dynamic VLANs on the surface appear to be very advantageous, but building of the database can be a very painstaking and tortuous task. If a network has thousands of workstations, there will be a lot of typing. Assuming that one could survive the process, there are still other issues with dynamic VLANs. Keeping the database current can become an ongoing time-consuming process. Dynamic VLANs will be discussed further in Chapter 6. ...