Virtual Local Area Networks (VLANs)

A VLAN is a group of switched ports that acts as a separate, isolated LAN. There can be several VLANs defined on a single switch (see Figure 6.4). A VLAN can also span multiple switches. Workstations in separate VLANs will never encounter traffic from or share bandwidth with other VLANs unless the data is routed. In other words, a router or switch with routing capabilities is required if devices on different VLANs need to communicate. It should be noted that VLAN configuration is done through the switch and its software.

Remember from earlier chapters that one of the main benefits to switches is that they segment a network into many collision domains. Each port represents a single collision domain, and devices share bandwidth only with other devices on the same switch port. Unless a switch is segmented into VLANs, however, all the devices on the switch are still in the same broadcast domain; that is, all broadcasts are sent to each port throughout the switching fabric.

VLANs introduce a way to limit the broadcast traffic in a switched network (a job normally associated with routers). When you create a VLAN by defining which ports belong to it, you are really just creating a boundary for broadcast traffic. This has the effect of creating multiple, isolated LANs on a single switch.

It is important to understand the need for routers in a switched network. If devices on different VLANs need to communicate, routing is required to facilitate this exchange of data. Many of today's network systems are collections of routers and switches.

What happens when a device on one VLAN needs to communicate with a device on another VLAN? Because a VLAN is a closed Layer 2 network, traffic must cross a Layer 3 device to communicate with other VLANs.

This means a router is required to facilitate the exchange of packets between VLANs.

It is possible for a device to participate in more than one VLAN by using a special type of network card that performs ISL, which is discussed later in this chapter.

The real benefit to using VLANs is that they can span multiple switches. Figure 6.5 shows two switches that are configured to share VLAN information.

A large campus network may have hundreds of switches spread throughout several buildings . Users can be put on the appropriate VLANs easily, no matter where they are physically located. Users on the same VLAN do not have to be connected to the same device. Therefore, LANs are no longer tied to the physical location of users but rather can be assigned based on department, functional area, or security level. By isolating users according to department or functional area, network administrators can keep the majority of data traffic within one VLAN, thereby maximizing the amount of traffic switched at hardware speeds versus what is routed at slower software speeds.

The ability to assign a user to a VLAN on a port-by-port basis makes adding, moving, or deleting users simple. For example, let's say a user changes from the accounting department to the marketing department. If the network administrator designed the network and VLANs by functional department, this user would have changed VLANs. To accommodate this change, the administrator only has to make a software configuration change in the switch by assigning that user 's port to the new VLAN.

In addition, VLANs provide the flexibility necessary to group users by security level. This can greatly simplify applying a security policy to a network. In summary, here are the benefits of VLANs:

• They simplify security administration.

• They allow users to be grouped by functional area versus physical location.

• They simplify moving and adding users.