9.4. 802.1q VLANOrdinarily, Ethernet provides one common broadcast domain per network segment. This means that when a packet comes across the segment destined for a local host whose hardware (MAC) address has not yet been resolved (ARPed) and associated with a certain switch port on the Ethernet segment, a broadcast to all ports is done in order to find a host with the right MAC address that's supposed to receive the packet. Once the port with the correct recipient is found, an ARP record is recorded in the switch so that all future traffic destined for that MAC address can go to that port rather than being broadcast. One problem with this is that the broadcast traffic, while only a small percentage on most networks, can be a waste of bandwidth. Another problem is that, when broadcasts occur, every device on the network can receive them, which is a potential security hazard . But, thanks to IEEE 802.1q, both of these problems can be minimized. 802.1q VLAN (virtual LAN) isn't really just a CoS standardit's a way to separate Ethernet traffic logically, secure Ethernet broadcast domains, organize the network by separating network protocols such as NetBEUI and IPX/SPX into their own VLANs, and all kinds of other cool local area wizardry. Each VLAN is a logically separate broadcast domaineven if it coexists with other VLANs on the same physical segment. 9.4.1. Layer 2 SwitchingWith most vendors ' Ethernet equipment, to create VLANs, each switch port is assigned a VLAN taga numeric identifier that is unique within the network. This tag identifies the VLAN in which that port participates. Once the tag is assigned, the device connected to that port will receive traffic only from the assigned VLAN and will be able to send traffic only to the assigned VLAN. This concept is illustrated in Figure 9-4. Different groups of ports on each switch are assigned to VLANs 1 and 2. VLANs are a layer 2 concept, because they operate at the data link layer, below the purview of network protocols like TCP/IP. This is a good thing, because it allows you to implement VoIP with a way of easily removing non-TCP/IP traffic from your Figure 9-4. VLAN trunk ports can be used to haul one or more VLANs from one switch to the nextVoIP network. The solution is to establish a VLAN strictly for VoIP devices and then enforce a policy of not using NetBEUI, IPX/SPX, or other non-TCP/IP hosts on that VLAN. 9.4.2. Layer 3 SwitchingSometimes Ethernet switches can be used to groom, inspect, or route traffic. This practice is called layer 3 switching, because, like a router, the switch must have some knowledge of the network-layer protocol. Layer 3 switching accomplishes some router-like activities: queuing, routing, and packet-inspection. Queuing and packet inspection are of great interest to people concerned with QoS, because they can be used to shape the traffic on the data link based on each packet's characteristics. For example, it's possible to drop all non-voice traffic by filtering protocol types (UDP, TCP, etc.) and port numbers . This isn't the preferred way of giving VoIP traffic precedence on the Ethernet segmentjust one way. 802.1p is probably a better way of handling prioritization, and just about all layer 3 switches support it. But layer 3 switching can also be used to establish priorities for backbone traffic among different VLANs, and this is an important technique, especially when voice endpoints or trunk connections can't otherwise support a QoS standard. In one such situation, a data closet contains a hub or a non-QoS-aware switch, and that switch is connected to the backbone. Since that non-QoS switch can't do packet prioritization or DiffServ, at least it can glean the benefit of membership in an expedited VLAN. Setting priorities for VLANs is a good way of bolstering QoS without a lot of overhead, but VLANs have one big caveat: excessive use can make your network hard to maintain. So don't use VLANs loosely. It's possible to build a network that's a VLAN monster. Complexity should be avoided when possible. Many enterprise VoIP networks use two VLANs: one for traditional data devices like PCs and printers and another for VoIP servers and phones. The cabling, of course, is all the same. Other setups may add a third VLAN for administrator use or for QoS reporting. 9.4.2.1 VLAN trunkingSince VLAN itself is a logical way of separating Ethernet traffic, using it to combine, or trunk, Ethernet traffic must be a logical task, too. Just as you would plug a patch cable between two switches to bridge them, you must logically bridge two VLANs. So if you want to connect two Ethernet switches across the same VLAN, they must be bridged both physicallyusing a patch cable, wireless repeater, etc.and logicallyusing a trunk port to connect the two VLANs to both switches. When an Ethernet port is said to be a trunk port, this means that it can pass traffic on more than one VLAN. Therefore, it can send traffic only to Ethernet device that is able to receive traffic on more than one VLAN. In Figure 9-4, one port on each switch has been set up as a trunk port, able to carry traffic for both VLANs between the switches. So, the voice VLAN is a separate broadcast domain than the data VLAN, even in a bridged, multilocation segment like this one. Ports that have a single VLAN assignmenti.e., ports that carry nontagged traffic for only a particular VLANare called access ports. In Figure 9-4, ports 1 through 6, and 8 through 12 are all access ports. 9.4.2.2 CoS over VLAN trunksThe Ethernet frame used to encapsulate trunked VLAN traffic contains 802.1q tagging, which identifies which VLAN each frame belongs to and which user priority the frame has. This user priority field (UPF) ranges from 0 to 7, with 7 being the highest priority. Based on the UPF, priority traffic is sent across the VLAN trunk first and, when received on the other end, is sent to the receiving switch's backplane first. Meanwhile, lower-priority traffic is queued and ultimately dropped if the switch runs out of buffer space. To recap, VLAN accomplishes several things that can improve VoIP service:
For much more detailed information on VLAN, segmentation, and Ethernet in general, read O'Reilly's Ethernet: The Definitive Guide . |