Virtual (LAN) Reality: One Switch, but Multiple LANs

VLANs allow you to create multiple LANs, but without requiring extra switch hardware. This section describes how switches create virtual LANs, followed by a short description of some of the reasons why someone might want to use multiple VLANs.

How to Create a Virtual LAN

To create multiple physical LANs, or broadcast domains, you need multiple LAN switches. However, adding more LAN switches can be expensive. Luckily, LAN switch vendors include a feature in their products that allows you to create multiple broadcast domains in a single switch, essentially allowing you to create multiple LANs, but without the additional hardware. These broadcast domains are called virtual LANs (VLANs). VLANs are defined more formally as follows:

A broadcast domain, created by a switch, using a subset of the physical ports on the switch.

Earlier in the chapter, you read that a broadcast domain is the group of devices for which a broadcast frame sent by one device is received by all devices in the group. And as you well know now, a physical LAN is the same thing as a broadcast domain.

So, what's the difference between a physical LAN and a VLAN? Very little. The key lies in the fact that the network engineer can configure the switch and tell it to treat some physical ports as if they are in one broadcast domainone VLANand then configure other ports to be in a different broadcast domainin other words, a different VLAN. When you want multiple LANs, instead of buying a new switch to create a new physical LAN, you could just configure VLANs. Figure 7-5 shows an example, with the same network as in Figure 7-3.

The network engineer configured ports E0 and E1 to be in VLAN 1 and ports E2 and E3 to be in VLAN 2. The switch considers the two VLANs to be separate. In fact, this network behaves just like it would with the two physical switches shown in Figure 7-4. However, you get the advantage of not having to buy another switch!

Notice that the switch keeps a separate address table for each VLAN. So, the switch does learn all four MAC addresses, but the switch does not forward broadcasts or unicasts from one VLAN to the other. Figure 7-6 outlines the process.

The switch knows that the frame came in port E0 and that E0 has been configured as part of VLAN1. The switch looks only at the VLAN1 address table and finds a match. So, the switch forwards the frame. Even if there had not been a match in the VLAN1 address table, the switch would have flooded the frame, but only out ports in VLAN1. Therefore, neither Wilma nor Betty could get a copy of the frame.

In short, VLANs act just like physical LANs. The only difference is that physical LANs include all physical ports on a switch, whereas VLANs include a subset of the ports on a switch, based on the configuration that the network engineer adds. Actually, you can take the list of facts about physical LANs from earlier in this chapter, change the word "LAN" to "VLAN," and they are all still true:

• Each VLAN has an independent MAC address table as compared to the other VLANs.

• Broadcasts originating in one VLAN are flooded inside that VLAN.

• Broadcasts originating in one VLAN are not forwarded into the other VLANs.

• Unicasts originating in one VLAN are not forwarded into the other VLANs.

That's all there is to VLANs. A VLAN is just a LAN, or broadcast domain, that is created by configuring a switch. By telling the switch to treat some ports as if they are in one LAN, and others as if they are in a second LAN, you can create multiple virtual LANs.

Why You Need More Than One LAN

A VLAN is simply a LAN that is created by configuring a switch, so that a subset of its ports is considered to be in the same broadcast domain. But why would you bother? Couldn't you just leave the switch alone and let it work like always, with one physical LAN? Sure. In fact, often times, particularly in small networks, you do not need to use VLANs. However, in medium to large enterprise networks, VLANs are quite popular. As my daughter would say (over and over again, by the way), "Why?" Well, I'll give you a few of the typical reasons over the next few pages of this chapter. This is not an exhaustive list, but it highlights a few of the popular reasons.

If 100 Devices in a LAN Is Good, 1000 Devices Must Be Better

In some cases, bigger is better, but in other cases, it is not. As a LAN grows, it might become too big. The problem? Well, each PC must spend CPU cycles processing received broadcasts. As the broadcast domain increases in size, every device has more broadcasts to process. As a result, it makes sense not to put too many devices in a single VLAN.

Although there is no exact number to shoot for, most networks today avoid LANs with more than a few hundred devices. If you have 1000 devices and you want no more than 200 per LAN, you could simply create five or more VLANs and put some devices in each VLAN.

OSI Layer 8 Issues

You might be wondering what OSI Layer 8 is. Well, there's more to most network design decisions than just the technical parts; in other words, there's more to life than just the actual, real, technical seven layers of the OSI model. People sometimes use the term Layer 8 to refer to internal politics at the company, business issues, and so onall the stuff that is above and beyond the pure technical issues.

Often, Layer 8 issues drive some decisions about when to use VLANs. For example, imagine that the payroll department moves to the same floor as the IT department. The payroll director comes into your cube and says something like this: "Odom, I'm concerned that we will be on the same LAN as the IT group. They might be able to look at sensitive payroll traffic as it passes over the LAN."

First of all, if you're not me, you would be wondering why he called you "Odom," but your reply could be this simple: "Uhhh… how about if we put you on a different LAN? Does that work for you?" He agrees, and not only that, he's so happy that you accommodated him so easily that he promises to put in a good word with your boss. All you have to do is configure the switch to put the right ports into a new VLAN for payroll and enjoy the admiration of your new friend in the payroll department.

OSI Layer 3 Design Goals

One of the more popular reasons to put a group of devices into the same VLAN relates to OSI Layer 3 concepts, and in particular, the Internet Protocol (IP). Unfortunately, you've not read enough about IP to appreciate the details yet. You will learn a lot more about IP in Chapters 10, "Delivering the Goods to the Right Street (IP) Address," and 11, "Knowing Where to Turn at Each Intersection (Router)." While you continue reading, keep in mind that IP uses concepts called networks and subnetworks, or subnets. As it turns out, the devices in the same LAN or VLAN are also in the same TCP/IP network or subnet.

You might have motivations for putting some devices in one IP network or subnet, and some in another. To be in two different IP networks or subnets, those devices must be in two different LANs, so using VLANs could be a convenient way to meet your Layer 3 design goals.

Saving Cash

Regardless of motivation, a network engineer might need to put devices in different LANs. Rather than buying more switching hardware, it is typically way more convenient and cost effective to just configure VLANs. The ultimate motivation for VLANs might simply be that whatever the design choice that makes you want more LANs, VLANs allow you to do it without buying more hardware.