Remember that layer 2 switches break up collision domains and that only routers can break up broadcast domains. However, virtual LANs can be used to break up broadcast domains in layer 2 switched networks. Routers are still needed in a layer 2 virtual LAN switched internetwork to enable the different VLANs to communicate with each other.
There are many benefits to creating VLANs in your internetwork. Remember that in a layer 2 switched network, the network is a flat network, as shown in Figure 3.1. Every broadcast packet transmitted is seen by every device on the network, regardless of whether the device needs to receive the data.
In a flat network, all users can see all devices. You can not stop devices from broadcasting or users from trying to respond to broadcasts. Your only security consists of passwords on the servers and other devices.
By creating VLANs, you can solve many of the problems associated with layer 2 switching.
Figure 3.1: A flat network structure
Broadcasts occur in every protocol, but how often they occur depends on the protocol, the application(s) running on the internetwork, and how these services are used. VLANs can define smaller broadcast domains, which means that it is possible to stop application broadcasts to segments that do not use the application.
Although some older applications have been rewritten to reduce their bandwidth needs, there is a new generation of applications that are bandwidth greedy, consuming all they can find. These are multimedia applications that use broadcasts and multicasts extensively. Faulty equipment, inadequate segmentation, and poorly designed firewalls can also add to the problems of broadcast-intensive applications.
For the moment, you should consider multicast traffic to be the same as broadcast traffic. The switch has no default knowledge of multicast groups, and forwards it out of every port. We deal with this issue in detail in Chapter 7, “Multi- Layer Switching.”
These bandwidth-gobbling applications have added a new factor to network design because broadcasts can propagate through the switched network. Routers, by default, send broadcasts only within the originating network, but layer 2 switches forward broadcasts to all segments. This is called a flat network because it is one broadcast domain.
As an administrator, you must make sure the network is properly segmented to keep problems on one segment from propagating through the internetwork. The most effective way of doing this is through switching and routing. Because switches have become more cost-effective, a lot of companies are replacing the hub-and-router network with a pure switched network and VLANs. The largest benefit gained from switches with defined VLANs is that all devices in a VLAN are members of the same broadcast domain and receive all broadcasts. The broadcasts, by default, are filtered from all ports that are on a switch and are not members of the same VLAN.
Every time a VLAN is created, a new broadcast domain is created. VLANs are used to stop broadcasts from propagating through the entire internetwork. Some sort of internal route processor, or an external router must be used in conjunction with switches to provide connections between networks (VLANs).
In a flat internetwork, security is implemented by connecting hubs and switches together with routers. Security is then maintained at the router, but this causes three serious security problems:
Anyone connecting to the physical network has access to the network resources on that physical LAN.
A user can plug a network analyzer into the hub and see all the traffic in that network.
Users can join a workgroup just by plugging their workstation into the existing hub.
By using VLANs and creating multiple broadcast groups, administrators now have control over each port and user. Users can no longer just plug their workstation into any switch port and have access to network resources. The administrator controls each port and whatever resources it is allowed to use.
Because groups can be created according to the network resources a user requires, switches can be configured to inform a network management station of any unauthorized access to network resources. If inter-VLAN communication needs to take place, restrictions on a router can also be implemented. Restrictions can also be placed on hardware addresses, protocols, and applications.
VLANs also add more flexibility to your network by allowing only the users you want in the broadcast domain regardless of their physical location. Layer 2 switches read frames only for filtering; they do not look at the Network-layer protocol. This can cause a switch to forward all broadcasts. However, by creating VLANs, you are essentially creating separate broadcast domains. Broadcasts sent out from a node in one VLAN will not be forwarded to ports configured in a different VLAN. By assigning switch ports or users to VLAN groups on a switch—or a group of connected switches (called a switch-fabric)—you have the flexibility to add only the users you want in the broadcast domain regardless of their physical location. This can stop broadcast storms caused by a faulty network interface card (NIC) or stop an application from propagating throughout the entire internetwork.
When a VLAN gets too big, you can create more VLANs to keep the broadcasts from consuming too much bandwidth. The fewer users in a VLAN, the fewer are affected by broadcasts.
To understand how a VLAN looks to a switch, it’s helpful to begin by first looking at a traditional collapsed backbone. Figure 3.2 shows a collapsed backbone created by connecting physical LANs to a router.
Each network is attached to the router, and each network has its own logical network number. Each node attached to a particular physical network must match that network number to be able to communicate on the internetwork. Now let’s look at what a switch accomplishes. Figure 3.3 shows how switches remove the physical boundary.
Switches create greater flexibility and scalability than routers can by themselves because switches define the network VLANs and VLAN port assignments. You can group users into communities of interest, which are known as VLAN organizations.
Because of switches, we don’t need routers anymore, right? Wrong. In Figure 3.3, notice that there are four VLANs, or broadcast domains. The nodes within each VLAN can communicate with each other but not with any other VLAN or node in another VLAN. When configured in a VLAN, the nodes think they are actually in a collapsed backbone, as in Figure 3.2. What do these hosts in Figure 3.2 need to do in order to communicate to a node or host on a different network? They need to go through the router, or other layer 3 device, just as they do when they are configured for VLAN communication, as shown in Figure 3.3. Communication between VLANs, just as in physical networks, must go through a layer 3 device.
Figure 3.2: Switches remove the physical boundary.
If the creation of VLANs using the existing addressing scheme does not produce the segmentation that you need, you may have to bite the bullet and renumber your network. But it’s not all bad news. Creating a new IP addressing scheme from the ground up may seem like a huge task, but it is greatly simplified by using an automatic addressing process such as Dynamic Host Configuration Protocol (DHCP).