The Virtual LAN the Virtual

decisys

TheThe VirtualVirtual LANLAN TechnologyTechnology ReportReport The Virtual LAN Technology Report

Contents Introduction 2 Defining VLANs 3 Membership by Port Group 3 Membership by MAC Address 3 Layer 3ÐBased VLANs 4 IP Multicast Groups as VLANs 5 Combination VLAN Definitions 5 Automation of VLAN Configuration 5 Communicating VLAN Membership Information 6 Standards and the Proprietary Nature of VLANs 6 VLAN Implementation Benefits 7 Reducing the Cost of Moves and Changes 7 Virtual Workgroups 8 Reduction of Routing for Broadcast Containment 9 Routing Between VLANs 10 VLANs Over the WAN 11 Security 11 VLANs and ATM 11 VLANs Transparent to ATM 11 Complexity Arising with ATM-Attached Devices 11 LAN Emulation 11 Routing Between Emulated LANs and/or VLANs 13 Edge Routing 14 The One-Armed Router 14 The Route Server 14 MPOA 15 VLANs and DHCP: Overlapping Solutions 15 DHCP Functionality 16 Best Use for Each 16 Overlap Between DHCP and VLANs 16 VLAN Architectures Going Forward 17 Infrastructural VLANs 17 Service-Based VLANs 18 VLAN Migration Strategies 19 Conclusion 20

1 The Virtual LAN Technology Report of switches, dividing the network into more and more segments (with fewer and fewer by David Passmore and John Freeman users per segment) does not reduce the need for broadcast containment. Using routers, Introduction broadcast domains typically remain in the 100 Virtual LANs (VLANs) have recently to 500 user range. David Passmore is president developed into an integral feature of switched and co-founder of Decisys, Inc., VLANs represent an alternative solution a Sterling, Virginia–based con- LAN solutions from every major LAN to routers for broadcast containment, since sulting firm specializing in equipment vendor. Although end-user VLANs allow switches to also contain network design, architecture, enthusiasm for VLAN implementation has yet broadcast traffic. With the implementation of and management for end-user to take off, most organizations have begun to switches in conjunction with VLANs, each organizations, and network look for vendors that have a well-articulated network segment can contain as few as one product marketing and strategic planning for vendors. Before VLAN strategy, as well as VLAN func- user (approaching private port LAN switch- founding Decisys, David was tionality built into products today. One of the ing), while broadcast domains can be as large vice president of the Gartner reasons for the attention placed on VLAN as 1,000 users or perhaps even more. In Group and a partner in Ernst & functionality now is the rapid deployment of addition, if implemented properly, VLANs can Young’s Center for Information LAN switching that began in 1994/1995. track workstation movements to new locations Technology and Strategy in The shift toward LAN switching as a Boston, Massachusetts. without requiring manual reconfiguration of IP replacement for local/departmental routers— addresses. David received a B.S. in and now even shared media devices (hubs)— Why haven’t more organizations deployed computer science and engi- will only accelerate in the future. With the neering and an M.S. in elec- VLANs? For the vast majority of end-user trical engineering and rapid decrease in Ethernet and Token Ring organizations, switches have yet to be imple- computer science, both from switch prices on a per-port basis, many more mented on a large enough scale to necessitate the Massachusetts Institute of ambitious organizations are moving quickly VLANs. That situation will soon change. Technology. toward networks featuring private port (single There are, however, other reasons for the user/port) LAN switching architectures. Such a lukewarm reception that VLANs have received desktop switching architecture is ideally suited from network users up to now: to VLAN implementation. To understand why ¥ VLANs have been, and are still, proprietary, private port LAN switching is so well suited to single-vendor solutions. As the networking VLAN implementation, it is useful to review industry has shown, proprietary solutions are the evolution of segmentation and broadcast anathema to the multivendor/open systems containment in the network over the past policies that have developed in the migration several years. to local area networks and the client server In the early 1990s, organizations began to model. replace two-port bridges with multiport, col- ¥ Despite the frequently quoted numbers illu- lapsed backbone routers in order to segment minating the hidden costs of networking, their networks at layer 3 and thus also contain such as administration and moves/adds/ broadcast traffic. In a network using only changes, customers realize that VLANs have routers for segmentation, segments and their own administrative costs, both straight- broadcast domains correspond on a one-to-one forward and hidden. basis. Each segment typically contained ¥ Although many analysts have suggested that between 30 and 100 users. VLANs enhance the ability to deploy cen- With the introduction of switching, orga- tralized servers, customers may look at nizations were able to divide the network into enterprise-wide VLAN implementation and smaller, layer 2Ðdefined segments, enabling see difficulties in enabling full, high-per- increased bandwidth per segment. Routers formance access to centralized servers. could now focus on providing broadcast con- This paper discusses these and other tainment, and broadcast domains could now issues in greater detail, and attempts to span multiple switched segments, easily sup- determine the strategic implications that porting 500 or more users per broadcast VLANs, present and future, pose for enterprise domain. However, the continued deployment networks.

2 Defining VLANs ports (for example, ports 1, 2, 3, 7, and 8 on a What is a VLAN? With the multitude of switch make up VLAN A, while ports 4, 5, vendor-specific VLAN solutions and imple- and 6 make up VLAN B). Furthermore, in mentation strategies, defining precisely what most initial implementations, VLANs could VLANs are has become a contentious issue. only be supported on a single switch. Nevertheless, most people would agree that a Second-generation implementations John Freeman is a senior con- VLAN can be roughly equated to a broadcast support VLANs that span multiple switches sultant at Decisys, Inc., where domain. More specifically, VLANs can be (for example, ports 1 and 2 of switch #1 and he specializes in the devel- seen as analogous to a group of end-stations, ports 4, 5, 6, and 7 of switch #2 make up opment of technology mar- perhaps on multiple physical LAN segments, VLAN A; while ports 3, 4, 5, 6, 7, and 8 of keting and vendor strategies. that are not constrained by their physical switch #1 combined with ports 1, 2, 3, and 8 John also works with end-user clients to help them understand location and can communicate as if they were of switch #2 make up VLAN B). This and evaluate emerging tech- on a common LAN. scenario is depicted in Figure 1. nologies and vendor strategies. However, at this point, issues such as the Port grouping is still the most common Before joining Decisys, John extent to which end-stations are not con- method of defining VLAN membership, and worked as a consultant in strained by physical location, the way VLAN configuration is fairly straightforward. Japan in the areas of net- membership is defined, the relationship Defining VLANs purely by port group does working and systems integration. He is fluent in between VLANs and routing, and the rela- not allow multiple VLANs to include the Japanese and is an expert in tionship between VLANs and ATM have been same physical segment (or switch port). the Japanese networking left up to each vendor. To a certain extent these However, the primary limitation of defining market. are tactical issues, but how they are resolved VLANs by port is that the network manager John holds a B.A. in East Asian has important strategic implications. must reconfigure VLAN membership when a Studies from Harvard Because there are several ways in which user moves from one port to another. University. VLAN membership can be defined, this paper divides VLAN solutions into four general Membership by MAC Address types: port grouping, MAC-layer grouping, VLAN membership based on MAC-layer network-layer grouping, and IP multicast address has a different set of advantages and grouping. We will discuss the issue of manual disadvantages. Since MAC-layer addresses vs. automatic VLAN configuration, and are hard-wired into the workstation’s net- describe techniques by which VLANs may be work interface card (NIC), VLANs based on extended across multiple switches in the MAC addresses enable network managers to network. Finally, the paper takes a look at the move a workstation to a different physical present state of VLAN standards. location on the network and have that workstation automatically retain its VLAN mem- Membership by Port Group bership. In this way, a VLAN defined by Many initial VLAN implementations defined MAC address can be thought of as a user- VLAN membership by groups of switch based VLAN.

8 7 6 5 4 Switch #2 3 Hub 2 1 Backbone/backplane connecting8 multiple switches 7 6 5 4 Switch #1 3 2 Hub 1

Hub

VLAN A VLAN B

Figure 1. VLANs Defined by Port Group

3 One of the drawbacks of MAC are supported) or network-layer address (for addressÐbased VLAN solutions is the require- example, subnet address for TCP/IP networks) ment that all users must initially be configured in determining VLAN membership. Although to be in at least one VLAN. After that initial these VLANs are based on layer 3 infor- manual configuration, automatic tracking of mation, this does not constitute a “routing” users is possible, depending on the specific function and should not be confused with Acronyms and vendor solution. However, the disadvantage of Abbreviations network-layer routing. having to initially configure VLANs becomes Even though a switch inspects a packet’s AAL5 clear in very large networks where thousands of IP address to determine VLAN membership, ATM Adaptation Layer Type 5 users must each be explicitly assigned to a par- no route calculation is undertaken, RIP or ASIC ticular VLAN. Some vendors have mitigated OSPF protocols are not employed, and frames Application-specific integrated the onerous task of initially configuring MAC- traversing the switch are usually bridged circuit based VLANs by using tools that create according to implementation of the Spanning ATM VLANs based on the current state of the Tree Algorithm. Therefore, from the point of Asynchronous Transfer Mode network—that is, a MAC address–based view of a switch employing layer 3Ðbased VLAN is created for each subnet. VLANs, connectivity within any given VLAN DHCP Dynamic Host Configuration MAC addressÐbased VLANs that are is still seen as a flat, bridged topology. Protocol implemented in shared media environments Having made the distinction between will run into serious performance degradation VLANs based on layer 3 information and ELAN Emulated LAN as members of different VLANs coexist on a routing, it should be noted that some vendors single switch port. In addition, the primary are incorporating varying amounts of layer 3 FDDI method of communicating VLAN membership intelligence into their switches, enabling Fiber Distributed Data Interface information between switches in a MAC functions normally associated with routing. IPX addressÐdefined VLAN also runs into per- Furthermore, “layer 3 aware” or “multi-layer” Internet Packet Exchange formance degradation with larger-scale imple- switches often have the packet-forwarding LANE mentations. This is explained in “Communi- function of routing built into ASIC chip sets, LAN Emulation cating VLAN Membership Information,” later greatly improving performance over CPU- LEC in this paper. based routers. Nevertheless, a key point LAN Emulation client Another, but minor, drawback to VLANs remains: no matter where it is located in a LES based only on MAC-layer addresses emerges VLAN solution, routing is necessary to LAN Emulation server in environments that use significant numbers provide connectivity between distinct VLANs. of notebook PCs with some docking stations. There are several advantages to defining The problem is that the docking station and VLANs at layer 3. First, it enables partitioning integrated network adapter (with its hard-wired by protocol type. This may be an attractive MAC-layer address) usually remain on the option for network managers who are ded- desktop, while the notebook travels with the icated to a service- or application-based VLAN user. When the user moves to a new desk and strategy. Second, users can physically move docking station, the MAC-layer address their workstations without having to recon- changes, making VLAN membership figure each workstation’s network address—a impossible to track. In such an environment, benefit primarily for TCP/IP users. Third, VLAN membership must be updated con- defining VLANs at layer 3 can eliminate the stantly as users move around and use different need for frame tagging in order to commu- docking stations. While this problem may not nicate VLAN membership between switches, be particularly common, it does illustrate some reducing transport overhead. of the limitations of MAC addressÐbased One of the disadvantages of defining VLANs. VLANs at layer 3 (vs. MAC- or port-based VLANs) can be performance. Inspecting Layer 3–Based VLANs layer 3 addresses in packets is more time con- VLANs based on layer 3 information take into suming than looking at MAC addresses in account protocol type (if multiple protocols frames. For this reason, switches that use

4 layer 3 information for VLAN definition are flexible definition of VLAN membership generally slower than those that use layer 2 enables network managers to configure their information. It should be noted that this per- VLANs to best suit their particular network formance difference is true for most, but not environment. For example, by using a combi- all, vendor implementations. nation of methods, an organization that utilizes VLANs defined at layer 3 are particularly both IP and NetBIOS protocols could define IP Acronyms and VLANs corresponding to preexisting IP effective in dealing with TCP/IP, but less Abbreviations (Cont.) effective with protocols such as IPXª, subnets (convenient for smooth migration), ¨ ¨ DECnet , or AppleTalk , which do not and then define VLANs for NetBIOS end- MAC involve manual configuration at the desktop. stations by dividing them by groups of MAC- Media access control Furthermore, layer 3Ðdefined VLANs have layer addresses. MPOA particular difficulty in dealing with “unrout- Multiprotocol over ATM able” protocols such as NetBIOS. End- Automation of VLAN Configuration Another issue central to VLAN deployment is NIC stations running unroutable protocols cannot Network interface card be differentiated and thus cannot be defined the degree to which VLAN configuration is as part of a network-layer VLAN. automated. To a certain extent, this degree of OSPF automation is correlated to how VLANs are Open Shortest Path First IP Multicast Groups as VLANs defined; but in the end, the specific vendor PVC IP multicast groups represent a somewhat dif- solution will determine this level of auto- Permanent virtual circuit ferent approach to VLAN definition, although mation. There are three primary levels of RIP the fundamental concept of VLANs as automation in VLAN configuration: Routing Information Protocol broadcast domains still applies. When an IP ¥ Manual. With purely manual VLAN config- SVC packet is sent via multicast, it is sent to an uration, both the initial setup and all sub- Switched virtual circuit address that is a proxy for an explicitly defined sequent moves and changes are controlled TCP/IP group of IP addresses that is by the network adminis- Transmission Control established dynamically. trator. Of course, purely Protocol/Internet Protocol Each workstation is given manual configuration TDM the opportunity to join a The dynamic enables a high degree of nature of VLANs Time-division multiplexing particular IP multicast group defined by IP control. However, in by responding affirmatively multicast groups larger enterprise to a broadcast notification, enables a very networks, manual config- which signals that group’s high degree of uration is often not existence. All workstations flexibility and practical. Furthermore, it application that join an IP multicast defeats one of the sensitivity. group can be seen as primary benefits of members of the same virtual VLANs: elimination of LAN. However, they are the time it takes to only members of a particular multicast group administer moves and changes—although for a certain period of time. Therefore, the moving users manually with VLANs may dynamic nature of VLANs defined by IP mul- actually be easier than moving users across ticast groups enables a very high degree of router subnets, depending on the specific flexibility and application sensitivity. In vendor’s VLAN management interface. addition, VLANs defined by IP multicast ¥ Semiautomated. Semiautomated configu- groups would inherently be able to span ration refers to the option to automate either routers and thus WAN connections. initial configuration, subsequent reconfigu- rations (moves/changes), or both. Initial con- Combination VLAN Definitions figuration automation is normally accomp- Due to the trade-offs between various types of lished with a set of tools that map VLANs to VLANs, many vendors are planning to include existing subnets or other criteria. Semi- multiple methods of VLAN definition. Such a automated configuration could also refer to

5 situations where VLANs are initially con- necessary to update the cached address figured manually, with all subsequent tables of each switch can cause substantial moves being tracked automatically. Com- congestion of the backbone. For this reason, bining both initial and subsequent configu- this method does not scale particularly well. ration automation would still imply semi- ¥ Frame Tagging. In the frame-tagging automated configuration, because the approach, a header is typically inserted into network administrator always has the option each frame on interswitch trunks to of manual configuration. uniquely identify which VLAN a particular ¥ Fully Automatic. A system that fully MAC-layer frame belongs to. Vendors automates VLAN configuration implies that differ in the way they solve the problem of workstations automatically and dynamically occasionally exceeding the maximum join VLANs depending on application, user length of MAC-layer frames as these ID, or other criteria or policies that are preset headers are inserted. These headers also add by the administrator. This type of VLAN overhead to network traffic. configuration is discussed in greater detail ¥ TDM. The third, and least utilized method, is toward the end of this paper. time-division multiplexing. TDM works the same way on the interswitch backbone to Communicating VLAN Membership Information support VLANs as it does in the WAN envi- Switches must have a way of understanding ronment to support multiple traffic types— VLAN membership (that is, which stations here, channels are reserved for each VLAN. belong to which VLAN) when network traffic This approach cuts out some of the overhead arrives from other switches; otherwise, problems inherent in signaling and frame VLANs would be limited to a single switch. In tagging, but it also wastes bandwidth, general, layer 2Ðbased VLANs (defined by because a time slot dedicated to one VLAN port or MAC address) must communicate cannot be used by another VLAN, even if VLAN membership explicitly, while VLAN that channel is not carrying traffic. membership in IP-based VLANs is implicitly Deploying an ATM backbone also enables communicated by the IP address. Depending the communication of VLAN information on the particular vendor’s solution, communi- between switches, but it introduces a new set cation of VLAN membership may also be of issues with regard to LAN Emulation implicit in the case of layer 3Ðbased VLANs in (LANE). ATM is discussed in detail in a a multiprotocol environment. separate section of this paper. However, for the To date, outside of implementing an ATM time being, it should be remembered that with backbone, three methods have been imple- port groupÐdefined VLANs, the LANE mented for interswitch communication of standard provides for a nonproprietary method VLAN information across a backbone: table of communicating VLAN membership across maintenance via signaling, frame tagging, and a backbone. time-division multiplexing (TDM). ¥ Table Maintenance via Signaling. This Standards and the Proprietary Nature of VLANs method operates as follows: When an end- Given the variety of types of VLAN defin- station broadcasts its first frame, the switch itions and the variety of ways that switches can resolves the end-station’s MAC address or communicate VLAN information, it should not attached port with its VLAN membership in be surprising that each vendor has developed cached address tables. This information is its own unique and proprietary VLAN then broadcast continuously to all other solutions and products. The fact that switches switches. As VLAN membership changes, from one vendor will not interoperate entirely these address tables are manually updated by with VLANs from other vendors may force a system administrator at a management customers to buy from a single vendor for console. As the network expands and VLAN deployment across the enterprise. An switches are added, the constant signaling exception to this rule arises when VLANs are

6 implemented in conjunction with an ATM format for frame tagging, in particular, backbone and LANE. This is discussed further known as 802.1Q, represents a major in “VLANs and ATM,” later in this paper. milestone in enabling VLANs to be imple- The fact that single-vendor VLAN mented using equipment from several solutions in the LAN backbone will be the rule vendors, and will be key in encouraging for the foreseeable future contributes to the more rapid deployment of VLANs. recommendation that VLANs should not be Furthermore, establishment of a frame deployed indiscriminately throughout the format specification will allow vendors to enterprise. It also implies that purchase immediately begin incorporating this decisions should be more highly centralized or standard into their switches. All major coordinated than they may traditionally have switch vendors, including 3Com, Alantec/ been. Thus, from both a procurement and a FORE, Bay Networks, Cisco, and IBM technological perspective, VLANs should be voted in favor of this proposal. considered as elements of a strategic approach. However, due to the lag time necessary for The following two some vendors to incorporate VLAN standards have been the frame format specifi- proposed: The standard- cation and the desire on the ¥ 802.10 “VLAN ized format for part of most organizations to Standard.” In 1995, frame tagging, have a unified VLAN man- known as Cisco Systems proposed agement platform, VLANs 802.1Q, rep- the use of IEEE 802.10, resents a major will, in practice, continue to which was originally milestone in retain characteristics of a established to address enabling VLANs single-vendor solution for LAN security for to be imple- some time. This has sig- VLANs. Cisco attempted mented using nificant ramifications for equipment to take the optional from several deployment and pro- 802.10 frame header vendors. curement of VLANs. format and “reuse” it to Department-level pro- convey VLAN frame curement for LAN tagging instead of equipment, particularly in security information. Although this can be the backbone, is not practical for organizations made to work technically, most members of deploying VLANs. Purchasing decisions and the 802 committee have been strongly standardization on a particular vendor’s opposed to using one standard for two solution throughout the enterprise will become discrete purposes. In addition, this solution the norm, and price-based product competition would be based on variable-length fields, will decrease. The structure of the industry which make implementation of ASIC-based itself may also shift in favor of the larger net- frame processing more difficult and thus working vendors that can furnish a complete slower and/or more expensive. solution across a wide range of components. ¥ 802.1 Internetworking Subcommittee. In March, 1996, the IEEE 802.1 Internet- VLAN Implementation Benefits working Subcommittee completed the initial Why are vendors paying so much attention to phase of investigation for developing a VLAN implementation? Will VLANs solve VLAN standard, and passed resolutions con- all of the network manager’s problems with cerning three issues: the architectural respect to moves, changes, broadcasts, and approach to VLANs; a standardized format performance? for frame tagging to communicate VLAN membership information across multiple, Reducing the Cost of Moves and Changes multivendor devices; and the future direction The reason most often given for VLAN imple- of VLAN standardization. The standardized mentation is a reduction in the cost of handling

7 user moves and changes. Since these costs are manager would simply change the user’s quite substantial, this argument for VLAN VLAN membership. implementation can be compelling. This functionality promises to enable a Many venders are promising that VLAN more dynamic organizational environment, implementation will result in a vastly increased enhancing the recent trend toward cross-func- ability to manage dynamic networks and tional teams. The logic of the virtual work- realize substantial cost savings. This value group model goes like this: teams formed on a proposition is most valid for IP networks. temporary, project basis could be virtually con- Normally, when a user moves to a different nected to the same LAN without requiring subnet, IP addresses must be manually updated people to physically move in order to minimize in the workstation. This updating process can traffic across a collapsed backbone. Addition- consume a substantial amount of time that ally, these workgroups would be dynamic: could be used for more productive endeavors VLANs corresponding to these cross-func- such as developing new network services. tional project teams could be set up for the VLANs eliminate that hassle, because VLAN duration of the project and torn down when the membership is not tied to a workstation’s project was completed, all the while allowing location in the network, allowing moved work- users to remain in the same physical locations. stations to retain their original IP addresses and Although this scenario seems attractive, subnet membership. the reality is that VLANs alone cannot pave It is certainly true that the phenomenon of the way for full utilization of the virtual increasingly dynamic networks absorbs a sub- workgroup model. There are several man- stantial portion of the budgets of most IS agerial and architectural issues that, at this departments. However, not just any VLAN point, pose problems for the virtual implementation will reduce these costs. workgroup model: VLANs themselves add another layer of ¥ Managing Virtual Workgroups. From a virtual connectivity that must be managed in network management perspective, the tran- conjunction with physical connectivity. This is sitory nature of these virtual workgroups not to say that VLANs cannot reduce the costs may grow to the point where updating of moves, and changes—if properly imple- VLAN membership becomes as onerous as mented, they will. However, organizations updating routing tables to keep up with adds, must be careful not to simply throw VLANs at moves, and changes today (although it may the network, and they must make sure that the save on the time and effort involved in phys- solution does not generate more network ically moving the user’s workstation). administration than it saves. Moreover, there are still cultural hurdles to overcome in the virtual workgroup model: Virtual Workgroups people usually move to be physically close One of the more ambitious VLAN objectives to those with whom they work, rather than to is the establishment of the virtual workgroup reduce traffic across a collapsed backbone. model. The concept is that, with full VLAN ¥ Maintaining the 80/20 Rule. Virtual LAN implementation across the campus network support for virtual workgroups is often tied environment, members of the same department to support of the “80/20 rule,” that is, 80 or section can all appear to share the same percent of the traffic is “local” to the “LAN,” with most of the network traffic workgroup while 20 percent is remote or staying within the same VLAN broadcast outside of the workgroup. In theory, by domain. Someone moving to a new physical properly configuring VLANs to match location but remaining in the same department workgroups, only the 20 percent of the could move without having workstations traffic that is nonlocal will need to pass reconfigured. Conversely, a user would not through a router and out of the workgroup, have to change his or her physical location improving performance for the 80 percent of when changing departments—the network the traffic that is within the workgroup.

8 However, many believe that the applicability is able to route inter-VLAN packets at wire of the 80/20 rule is waning due to the speed, there is no performance advantage for deployment of servers and/or network appli- overlapping VLANs over routing between cations such as e-mail and Lotus Notes¨ that VLANs to allow universal access to a cen- users throughout the enterprise access on an tralized server. Remember, only inter- equal basis. VLAN packets would need to be routed— ¥ Access to Local Network Resources. The not all packets. Several vendors support virtual workgroup concept may run into the integrated routing as an alternative to over- simple problem that users must sometimes be lapping VLANs. physically close to certain resources such as While workgroup VLANs may be printers. For example, a user is in the extended to centralized server farms (for Accounting VLAN, but is physically located example, including a particular file server in in an area populated by members of the Sales a particular workgroup’s VLAN), this is not VLAN. The local network printer is also in always possible. In some networks, the MIS the Sales VLAN. Every time this Accounting people who control the servers may want to VLAN member prints to the local printer, his place routers between the server farms and print file must traverse a router connecting the rest of the network in order to create a the two VLANs. This problem can be separate administrative domain or to avoided by making that printer a member of enhance network security via router access both VLANs. This clearly favors VLAN control lists. Depending on the vendor solutions that enable overlapping VLANs, implementation, most switching products discussed later. If overlapping VLANs are will not support VLANs that extend across not possible, this scenario would require that routers (the exception to this would be routing functionality be built into the “VLANs” that equate to IP multicast backbone switch. Then, the example print groups). It should be kept in mind that cor- file would be routed by the switch rather than doning off servers with external routers con- having to go through an external router. flicts with one of the reasons for utilizing ¥ Centralized Server Farms. Server farms switches and VLANs in the first place—to refer to the placement of departmental avoid the delay introduced by routers. servers in a data center, where they can be provided with consolidated backup, uninter- Reduction of Routing for Broadcast Containment rupted power supply, and a proper operating Even the most router-centric networking environment. The trend toward server farm vendors have come to embrace the philosophy architecture has accel- of “switch when you can, erated recently and is route when you must.” expected to continue in LAN switches Although switches certainly supporting provide substantial per- order to ease adminis- VLANs can be formance enhancements trative costs. used to effec- Centralized server tively control over layer 3 packet for- farms raise problems for broadcast warding (routing), as users the virtual workgroup traffic, reducing learned years ago with the need for model when vendor bridges, switches normally routing. solutions do not provide do not filter LAN broadcast the ability for a server to traffic; in general, they belong to more than one VLAN simulta- replicate it on all ports. This neously. If overlapping VLANs are not not only can cause large switched LAN envi- possible, traffic between a centralized server ronments to become flooded with broadcasts, it and clients not belonging to that server’s is also wasteful of precious wide area network VLAN must traverse a router. However, if bandwidth. As a result, users have traditionally the switch incorporates built-in routing and been forced to partition their networks with

9 routers that act as broadcast “firewalls.” ¥ Cost. Router ports are more expensive than Hence, simple switches alone do not allow switch ports. Also, by utilizing cheaper users to phase out routers completely. switch ports, switching and VLANs allow One of the primary benefits of VLANs is networks to be segmented at a lower cost that LAN switches supporting VLANs can be than would be the case if routers alone were used to effectively control broadcast traffic, used for segmentation. reducing the need for routing. Broadcast traffic In comparing VLANs with routing, from servers and end-stations in a particular VLANs have their disadvantages as well. The VLAN is replicated only on those switch ports most significant weakness is that VLANs have connected to end-stations belonging to that been, to date, single-vendor solutions and VLAN. Broadcast traffic is blocked from ports therefore may lead to switch vendor lock-in. with no end-stations belonging to that VLAN, in The primary benefits of VLANs over routing effect creating the same type of broadcast are the creation of broadcast domains without firewall that a router provides. Only packets that the disadvantages of routing and a reduction in are destined for addresses outside the VLAN the cost of moves and changes in the network. need to proceed to a router for forwarding. Therefore, if neither of these is a problem, There are multiple reasons for utilizing then the user organization may want to forgo VLANs to reduce the need for routing in the VLANs and continue deploying a multivendor network: network backbone, segmented by a mix of a ¥ Higher Performance and Reduced Latency. few routers and a relatively large number of As the network expands, more and more simple switches. routers are required to divide the network Assuming a major implementation of into broadcast domains. As the number of VLANs, what is the role of routers in a routers increase, latency begins to degrade network? Routers have two remaining respon- network performance. A high degree of sibilities: to provide connectivity between latency in the network is a problem now for VLANs, and to provide broadcast filtering many legacy applications, but it is partic- capabilities for WAN links, where VLANs are ularly troublesome for newer applications generally not appropriate. that feature delay-sensitive multimedia and interactivity. Switches that employ VLANs Routing Between VLANs. VLANs can be can accomplish the same division of the used to establish broadcast domains within the network into broadcast domains, but can do network as routers do, but they cannot forward so at latencies much lower than those of traffic from one VLAN to another. Routing is routers. In addition, performance, measured still required for inter-VLAN traffic. Optimal in packets per second, is usually much higher VLAN deployment is predicated on keeping as for switches than for traditional routers. much traffic from traversing the router as However, it should be noted that there are possible. Minimizing this traffic reduces the some switches supporting network chance of the router developing into a bot- layerÐdefined VLANs that may not perform tleneck. As a result, the corollary to “switch substantially faster than routers. Additionally, when you can, route when you must” in a latency is also highly correlated to the VLAN environment becomes “routing is used number of hops a packet must traverse, no only to connect VLANs.” matter what internetworking device (switch Having said this, however, keep in mind or router) is located at each hop. that in some cases routing may not prove to be ¥ Ease of Administration. Routers require much of a bottleneck. As mentioned earlier, much more complex configuration than integrating routing functionality into the switches; they are “administratively rich.” backbone switch eliminates this bottleneck if Reducing the number of routers in the this routing is accomplished at high speed for network saves time spent on network man- inter-VLAN packets. agement.

10 VLANs Over the WAN. Theoretically, VLANs cating VLAN Membership Information” can be extended across the WAN. However, (VLAN tables, frame tagging, and TDM). In this is generally not advised, since VLANs an environment where ATM exists only in the defined over the WAN will permit LAN backbone (that is, there are no ATM-connected broadcast traffic to consume expensive WAN end-stations), ATM permanent virtual circuits bandwidth. Because routers filter broadcast (PVCs) may be set up in a logical mesh to traffic, they neatly solve this problem. carry intra-VLAN traffic between these However, if WAN bandwidth is free for a par- multiple LAN switches. ticular organization (for example, an electric In this environment, any proprietary utility with dark fiber installed in its right of technique the vendor has employed is trans- way), then extending VLANs over a WAN can parent to the ATM backbone. ATM switches be considered. Finally, depending on how the do not have to be VLAN “aware.” This means they are constructed, IP multicast groups that ATM backbone switches could be from a (functioning as “VLANs”) can be effectively different vendor than the LAN switches; ATM extended across the WAN, as well as the backbone switches could be selected without routers providing the WAN connections, regard for VLAN functionality, allowing without wasting WAN bandwidth. network managers to focus more on performance-related issues. As convenient as this Security situation sounds, it does not reflect reality for The ability of VLANs to create firewalls can many network environments. also satisfy more stringent security require- ments and thus replace much of the func- Complexity Arising with ATM-Attached Devices tionality of routers in this area. This is pri- Usually, organizations that implement ATM marily true when VLANs are implemented in backbones would also like to connect work- conjunction with private port switching. The stations or, more likely, servers directly to only broadcast traffic on a single-user segment those backbones. As soon as any logical end- would be from that user’s VLAN (that is, station is connected via ATM, a new level of traffic intended for that user). Conversely, it complexity arises. LAN Emulation must be would be impossible to “listen” to broadcast or introduced into the network to enable ATM- unicast traffic not intended for that user (even connected end-stations and non-ATM-con- by putting the workstation’s network adapter nected end-stations to communicate. in promiscuous mode), because such traffic does not physically traverse that segment. LAN Emulation With the introduction of ATM-connected VLANs and ATM end-stations, the network becomes a truly While the concept of VLANs originated with “mixed” environment, with two types of LAN switches, their use may need to be networks operating under fundamentally dif- extended to environments where ATM ferent technologies: connectionless LANs networks and ATM-attached devices are also (Ethernet, Token Ring, FDDI, etc.) and con- present. Combining VLANs with ATM nection-oriented ATM. This environment puts networks creates a new set of issues for the responsibility on the ATM side of the network managers, such as relating VLANs to network to “emulate” the characteristics of ATM emulated LANs (ELANs), and deter- broadcast LANs and provide MAC-to-ATM mining where to place the routing function. address resolution. The LAN Emulation (LANE) specifi- VLANs Transparent to ATM cation, standardized in 1995 by the ATM In a LAN backbone with VLANs spanning Forum, specifies how this emulation is accom- more than one LAN switch, switches plished in a multivendor environment. LANE determine where frames have originated by the specifies a LAN Emulation server (LES), techniques discussed earlier in “Communi- which can be incorporated into one or more

11 Ethernet

Ethernet

Ethernet LAN switch 5 1 LEC ATM network SVC File server LEC 4 Ethernet SVC LES 2 Ethernet ATM LEC SVC 3 switch Ethernet

LAN switch

Figure 2. LAN Emulation

switches or a separate workstation to provide residing in the server’s ATM NIC. From the the MAC-to-ATM address resolution in con- standpoint of either MAC driver, frames pass junction with LAN Emulation clients (LECs), directly between them just as if they were con- which are incorporated into ATM edge nected by a non-ATM backbone, with each switches and ATM NICs. LEC acting as a proxy MAC address. VLANs Figure 2 briefly illustrates how LANE defined by port group would treat the ATM operates: interface on the LAN switch as just another 1. The LAN switch receives a frame from an Ethernet port, and all ATM-attached devices Ethernet-connected end-station. This frame would then be members of that VLAN. In this is destined for another Ethernet end-station way, VLANs could be deployed without across the ATM backbone. The LEC regard to whether the ATM switches in the (which in this situation resides in the LAN backbone are from the same vendor (so long switch) sends a MAC-to-ATM address res- as they support LANE). olution request to the LES (which in this However, from an administrative point of case resides in an ATM switch). view, many organizations may not want to 2. The LES sends a multicast to all other employ separate management software for the LECs in the network. ATM backbone and may prefer to source both 3. Only the LEC that has the destination edge devices (LAN switches) and backbone (MAC) address in its tables responds to the devices (ATM switches) from the same LES. vendor. 4. The LES then broadcasts this response to LANE can also allow for multiple ELANs all other LECs. by establishing more than one LEC in the 5. The original LEC recognizes this response, ATM interfaces of participating devices (as learns the ATM address of the destination well as a separate LES for each ELAN). Each switch, and sets up a switched virtual LEC in the ATM interface of the LAN switch circuit (SVC) to transport the frame via is treated as a separate logical Ethernet port, ATM cells as per AAL5, which governs and each LEC in a single ATM-attached segmentation and reassembly. device is seen as a separate Ethernet-attached In looking at the path of traffic between end-station. Therefore, multiple LECs in a an Ethernet-attached client and an ATM- single ATM-attached device can be members attached server, the section that is governed by of different VLANs, allowing these VLANs to LANE extends from the LEC in the ATM overlap at ATM-attached devices. Since interface of the LAN switch to the LEC LANE supports only ATM-attached devices,

12 LAN switch with ATM interface and VLANs defined by port group VLAN #2 Represents a single ATM interface VLAN #1 with two LECs, each emulating an Ethernet port assigned to different VLANs MAC MAC driver driver LEC2 LEC1 ELAN #2 ATM LEC2 ELAN #1 LEC1 MAC MAC driver driver Application

Represents a single ATM interface with two LECs, each a member of different ELANs and VLANs*

ATM-attached server running applications accessible by both VLANS

* Note: Each LEC on a single ATM interface must be on separate ELANs. They are shown here on separate VLANs only because their corresponding LECs on the ATM switch have been explicitly assigned to different VLANs.

Figure 3. VLANs as Supersets of ELANs while VLANs are defined for both ATM and VLAN traffic remaining. Therefore, a router is non-ATM network devices, VLANs can be still required for traffic to pass from one seen as supersets of ELANs (Figure 3). VLAN to another (and, therefore, from one With this structure, an ATM backbone ELAN to another). Figure 4 depicts this type can enable all end-stations from multiple of structure. VLANs to access a centralized server or servers without passing through a router by Routing Between Emulated LANs and/or VLANs establishing a separate ELAN for each VLAN. Since routing remains necessary in any mixed Since most traffic in a network is between ATM/shared media environment to forward client and server, establishing VLANs that inter-VLAN traffic, network designers are overlap at ATM-attached servers greatly faced with the question of where to locate the reduces the number of packets that must be router functionality. The following are four routed between VLANs. Of course, there is architectural solutions to the problem of where still likely to be a small amount of inter- to locate the routing functionality: edge

Ethernet

VLAN #1 Ethernet LAN switch Ethernet

This router connects both VLANs and thus both ELANs

Server Router ELAN #1 File ATM server network Ethernet Ethernet

Server Ethernet LAN switch ELAN #2 VLAN #2

Figure 4. Router Connecting Overlapping VLANs/ELANs

13 routing, the “one-armed” router, the route armed router sits off the side of an ATM server, and MPOA. backbone switch with a single ATM link, allowing packets that do not need to traverse Edge Routing. Basically, edge routing dictates the router to pass through the ATM backbone that the routing function across the ATM unimpeded. Another advantage of the one- backbone be incorporated into each LAN armed router is that, relative to other configu- switch at the “edge” of the ATM backbone. rations, it is less complex to configure and Traffic within VLANs can be switched across administer. the ATM backbone with minimal delay, while The key to the one-armed router inter-VLAN packets are processed by the structure, shown in Figure 5, is to keep as routing function built into the switch. In this much traffic as possible out of the one-armed way, an inter-VLAN packet does not have to router. By structuring VLANs to support the make a special trip to an external router, elimi- 80/20 rule (so that 80 percent of the traffic nating a time-consuming extra hop. remains within each VLAN), the router is not There are three other major advantages to required to handle most traffic. For this to this architecture. First, unlike solutions that work well, optimal configuration of VLANs have centralized routing, there is no single to minimize inter-VLAN traffic (traffic point of failure with edge routing architectures. passing through the one-armed router) is Second, several solutions featuring edge critical. There are several vendors presently routing are available today. Third, edge routing shipping one-armed router solutions. will function in multivendor environments if One of the disadvantages of the one- each vendor’s equipment supports LAN armed router is that it represents a single Emulation. point of failure in the network. For this The primary disadvantage of edge routing reason, two or more redundant one-armed is the difficulty of managing multiple physical routers are generally preferred. However, devices relative to having centralized man- perhaps the most significant drawback of the agement of a consolidated router/routing one-armed router is that its one arm can function. Additionally, edge routing solutions develop into a bottleneck if VLAN traffic may be more expensive than centralized routing does not support the 80/20 rule. This can solutions made up of a centralized router and occur particularly in networks with large multiple, less-expensive edge switches. amounts of peer-to-peer traffic.

The One-Armed Router. The concept of the The Route Server. The route server model (see so-called “one-armed router” has become par- Figure 6) is physically similar to the one-armed ticularly attractive because it removes the more router model, but logically very different in processing-intensive, higher-latency routing that it breaks up the routing function into dis- function from the primary data path. A one- tributed parts. In a one-armed router configuration, a packet from VLAN A heading to

LAN switch

Traffic within the same VLAN Traffic between VLANs ATM switch ATM switch One-armed router

ATM ATM network switch

LAN switch

Figure 5. One-Armed Router

14 LAN switch

Traffic within the same VLAN Traffic between VLANs ATM switch Bidirectional signaling required Route for address resolution server

ATM switch ATM ATM network switch

LAN switch

Figure 6. Route Server

VLAN B is sent to the one-armed router, approach. The Multiprotocol over ATM where it waits for address resolution, path cal- (MPOA) standards working group of the culation, establishment of a connection across ATM Forum is currently working out the the ATM backbone, and, finally, transmission. details of an implementation model for MPOA In a route server scheme, the same packet service. While a variety of models have been waits in the cache of the LAN switch at the proposed, MPOA is expected to provide direct edge of the ATM backbone before trans- virtual circuit connectivity between ATM- mission. In this process, the packet itself never network-attached devices that may belong to traverses a router. The only traffic to and from different routing subnets. In other words, the route server is the signaling required to set MPOA can let logical end-stations that are up a connection between LAN switches across part of different ELANs communicate directly the ATM backbone. The advantage is that less across an ATM network without requiring an routed traffic must be diverted to the route intervening router. server, often reducing the number of hops Since ELANs are subsets of VLANs, required through the backbone. Also, overall MPOA holds the promise of enabling an traffic across the route server’s one arm is ATM backbone to connect VLANs without reduced. the need for an external router. MPOA can be There are, of course, disadvantages to the considered an enhancement beyond LANE route server approach as well. First, initial that integrates routing functionality into the vendor implementations are strictly proprietary LAN-ATM edge switch. All inter-VLAN and do not support standard routing protocols. traffic would be able to leverage this capa- Secondly, at this point available route servers bility, and network latency would be reduced. only support IP. Of course, the route server An MPOA standard is not expected to be shares one of the one-armed router’s finalized until at least 1997, and the initial drawbacks in that it can be a single point of implementation will most likely support only failure, but, as with the one-armed router, this TCP/IP. It should be noted that some of the problem can be mitigated through redundancy. disadvantages of the route server approach, Finally, because a route server architecture such as cost and management complexity, requires LAN switches to have a certain level would remain in MPOA solutions. of routing functionality, route server solutions tend to be more expensive and more complex VLANs and DHCP: Overlapping Solutions to configure than the relatively simple LAN With Microsoft’s recent introduction of the switches deployed in the one-armed router Dynamic Host Configuration Protocol architecture. (DHCP), users now have another alternative for reducing the workload associated with MPOA. There is at least one development that administration of workstation IP address. may eventually standardize the route server Unfortunately, DHCP can actually conflict

15 with VLAN implementation, especially with ronments where non-TCP/IP protocols are layer-3, IP-based VLANs. required for mission-critical applications may benefit more from VLAN implementation, DHCP Functionality since VLANs can be used to contain multi- When considering the ability of VLANs to protocol broadcast traffic. deal with ever-changing networks, it should be However, for smaller, purely TCP/IP remembered that most of the difficulty in sup- network environments (under 500 nodes), porting adds, moves, and changes occurs in IP DHCP alone may suffice. By simply having networks. In order to deal with the problem of fewer total network nodes and fewer physical reconfiguring IP addresses, Microsoft has subnets, the need to establish fully location- developed DHCP, a TCP/IP-based solution independent logical groups is greatly ª incorporated into the Windows NT server reduced. Additionally, for medium-sized ¨ and most Windows clients. organizations that, for whatever reason, do Rather than establishing location-inde- not support location-independent work- pendent broadcast domains as VLANs do, groups, VLANs lose much of their appeal DHCP dynamically allocates IP addresses to when compared to DHCP. logical end-stations for fixed periods of time. There is one area in which VLANs and When the DHCP server detects a workstation DHCP do not compete: reducing the necessity whose physical location no longer corre- for routing in the network. Although DHCP sponds to its allocated IP address, it simply servers dynamically maintain address tables, allocates that end-station a new address. By they lack routing functionality and cannot doing so, DHCP enables workstations to be create broadcast domains. Therefore, DHCP moved from subnet to subnet without the has no impact on an organization’s need for network administrator having to manually routing in the network. In environments where configure the workstation’s IP address or the containment of broadcast traffic without update host table information. having to resort to routers is a major The element of DHCP that equates most requirement, VLANs are a better solution. closely to VLAN functionality is the network administrator’s ability to specify a range of IP Overlap Between DHCP and VLANs addresses available for a particular logical It what ways can DHCP and VLANs work workgroup. These logical groups are termed together, and in what situations do they rep- “scopes” in the Microsoft lexicon. However, resent competitive solutions? scopes should not be equated with VLANs, DHCP and layer-3, IP-based VLANs because members of a single scope are still clearly represent competitive solutions bound by their physical subnet, although there because of addressing problems that stem can be multiple scopes residing in each subnet. from implementing layer 3Ðbased VLANs in Consequently, DHCP implementation may conjunction with DHCP. If a client work- reduce the labor-intensive administration of station physically moves to a new subnet, the TCP/IP networks, but DHCP alone does not DHCP server will allocate a new IP address control network broadcasts in the same way for that workstation. Yet, this workstation’s that VLANs do. VLAN membership is based on the old IP address. Therefore, the network administrator Best Use for Each would have to manually update the client’s IP In what types of network environments should address in the switch’s VLAN tables. This VLANs be implemented, and in what types of would eliminate the primary benefit of DHCP network environments does DHCP make the and one of the primary benefits of IP-based most sense? Since DHCP is solely an IP-based VLANs. In summary, these two solutions rep- solution, it has little appeal in environments resent an either/or proposition for most where IP users are a minority, since all non- network environments. TCP/IP clients would be excluded from scope Implementing VLANs defined by MAC- membership. In particular, network envi- layer address in conjunction with DHCP is a

16 somewhat more plausible solution. However, need to be made available to users regardless DHCP together with MAC-based VLANs of their VLAN membership. Ideally, this would create a two-tiered, redundant matrix of access should be provided without most user logical groups (MAC addressÐbased VLANs traffic having to traverse a router. and DHCP scopes). Having two tiers of logical Organizations that implement VLANs rec- groups would make otherwise easy-to-manage, ognize the need for certain logical end-stations “drag-and-drop” moves, adds, and changes (for example, centralized servers) to commu- unnecessarily difficult and might entail more nicate with multiple VLANs on a regular basis, labor-intensive network administration than if either through overlapping VLANs (in which neither solution was implemented. network-attached end-stations simultaneously Port groupÐbased VLANs and DHCP can belong to more than one VLAN) or via inte- coexist, and their joint implementation can grated routing that can process inter-VLAN even be complementary. As stated earlier, packets at wire speed. From a strategic when users in VLANs based purely on port standpoint, these organizations have two ways groups move from one port group to another, to deploy VLANs: an “infrastructural” VLAN their VLAN membership changes. In a non- implementation or a “service-based” VLAN DHCP environment where IP subnets cor- implementation. The choice of approach will respond one-to-one with VLANs, users who have a substantial impact on the overall move from one port group to another would network architecture, and may even affect the still need to have their workstation recon- management structure and business model of figured to reflect their new IP subnet. the organization. Implementing DHCP would make this reconfiguration automatic. The port groupÐbased Infrastructural VLANs VLANs, of course, provide the broadcast con- An infrastructural approach to VLANs is based tainment that DHCP implementation alone on the functional groups (that is, the does not. In this way, DHCP departments, workgroups, and port-group-based sections, etc.) that make up VLANs can work together The choice of the organization. Each to accomplish both approach will functional group, such as broadcast containment and have a sub- accounting, sales, and engi- stantial impact automation of moves and neering, is assigned to its on the overall own uniquely defined changes. network archi- Port groupÐbased tecture, and VLAN. Based on the 80/20 VLANs and DHCP, in con- may even affect rule, the majority of junction with deployment of the management network traffic is assumed architectures that reduce the structure and to be within these func- business model tional groups, and thus need for external routing of of the organi- within each VLAN. In this inter-VLAN traffic (such as zation. multiple VLAN memberhip model, VLAN overlap or integrating routing into occurs at network resources the switch), represent a that must be shared by fairly complete short- to medium-term multiple workgroups. These resources are solution, which will alleviate the most pressing normally servers, but could also include problems faced in many network envi- printers, routers providing WAN access, work- ronments. stations functioning as gateways, and so forth. The amount of VLAN overlap in the VLAN Architectures Going Forward infrastructural model is minimal, involving Due to the trends toward server centralization, only servers rather than user workstations— enterprise-wide e-mail, and collaborative making VLAN administration relatively applications, various network resources will straightforward. In general, this approach fits

17 ® UNIX ® file server NetWare Sales file server database Accounting server database server E-mail server

Engineering VLAN

Sales VLAN

Accounting VLAN

Figure 7. Infrastructural VLANs

well in those organizations that maintain clean, tools presently available, a large number of discrete organizational boundaries. The infra- overlapping VLANs using the service-based structural model is also the approach most approach could generate incomprehensible easily enabled by presently available solutions multilevel network diagrams at a management and fits more easily with networks deployed console. Therefore, to be practical, service- today. Moreover, this approach does not based VLAN solutions must include a high require network administrators to alter how level of automatic configuration features. they view the network, and entails a lower cost However, in response to the types of appli- of deployment. For these reasons, most organi- cations organizations want to deploy in the zations should begin with an infrastructural future, as well as the shift away from tradi- approach to VLAN implementation. tional, more rigid organizational structures, the As can be seen in the example in Figure 7, trend in VLAN implementation will be toward the e-mail server is a member of all of the the service-based approach. Figure 8 depicts departments’ VLANs, while the accounting the service-based VLAN model. database server is only a member of the As bandwidth to the desktop increases and accounting VLAN. as vendor solutions become available to better manage greater VLAN overlap, the size of the Service-Based VLANs groups that belong to a particular set of A service-based approach to VLAN imple- VLANs may become smaller and smaller. At mentation looks, not at organizational or func- the same time, the number of these groups tional groups, but at individual user access to becomes larger and larger, to the point where servers and applications—that is, network each individual could have a customized mix resources. In this model, each VLAN corre- of services delivered to his or her workstation. sponds to a server or service on the network. Taking that concept a step further, control over Servers do not belong to multiple VLANs— what services are delivered at a given time groups of users do. In a typical organization, could be left up to each individual user. At that all users would belong to the e-mail server’s point, the network structure begins to take on VLAN, while only a specified group such as the multiple-channel characteristics of a cable the accounting department plus top-level exec- TV (CATV) network. In fact, at this stage, this utives would be members of the accounting model finds the greatest degree of similarity in database server’s VLAN. VLANs defined by IP multicast group—each By its nature, the service-based approach workstation has the choice of which IP mul- creates a much more complex set of VLAN ticast or “channel” it wants to belong to. membership relationships to be managed. In such a future environment, VLANs lose Given the level of most VLAN visualization the characteristics of static or semistatic

18 broadcast domains defined by the network An organization where broadcast traffic is manager, and become channels to which users not yet a problem, or where the cost of subscribe. Users simply sign up for the appli- network moves and changes is tolerable, may cations they need delivered to them at a par- want to forgo implementing VLANs for the ticular time. Application use could be time being. However, the majority of large accounted for, enabling precise and automated enterprise networks are now experiencing one chargeback for network services. Network or both of these problems. managers could also retain control in order to In organizations that are rapidly replacing block access to specific channels by certain routers with switches and may soon face users for security purposes. broadcast traffic containment issues, another element of the network architecture should be VLAN Migration Strategies considered: the degree to which the network As this paper has demonstrated, there are has evolved toward a single user/port switched many factors to be considered in VLAN LAN architecture. If the majority of users are implementation: technological, architectural, still on shared LAN segments, the ability of and organizational. Given the effects of VLANs to contain broadcasts is greatly VLANs on network architecture, organiza- reduced. If multiple users belonged to different tional structure, and even the business model VLANs on the same shared LAN segment, of some organizations, it is difficult to deploy that segment would receive broadcasts from VLAN technology solely as a tactical solution, each VLAN—defeating the goal of broadcast only where and when it is needed. However, containment. this does not imply an all-or-nothing strategy Having determined that VLANs need to in which the network architecture is trans- be a part of network planning in the immediate formed overnight from one based on physical future, server access, server location, and subnets and router-based segmentation to one application utilization must all be thoroughly of service-based VLANs. analyzed to determine the nature of traffic flow What steps are necessary before applying in the network. This analysis should answer VLANs to an enterprise network? Initially, the remaining questions about where VLAN VLANs should be seen as a solution to at least broadcast domains should be deployed, what one of two problems: role ATM needs to play, and where the routing ¥ Containment of broadcast traffic to function should to be placed. minimize dependence on routers Because of the limitations of present ¥ Reduction in the cost of network moves and VLAN technology, initial VLANs are likely changes to employ an infrastructural approach.

UNIX file server NetWare Sales file server database Accounting server database server E-mail server

Engineering

UNIX file server VLAN NetWare file server VLAN Sales Sales database server VLAN Accounting database server VLAN E-mail server VLAN Accounting Figure 8. Service-Based VLANs

19 However, as vendor solutions develop, many they allow the user to take his or her VLAN organizations will want to consider migration anywhere, without regard to which workstation toward a more service-based model, which or protocol is being used. will more easily let users subscribe to various The analysis of network traffic, appli- network services. cations usage, server access, and so on that is This concept of user-controlled sub- necessary in the VLAN migration process, and scribership, as opposed to administrator-con- which will be greatly furthered by the imple- trolled membership, is augmented by NICs mentation of RMON2, may simply produce with built-in VLAN functionality operating in VLANs that correspond to functional teams or environments with a single user per switch departments. On the other hand, if migration is port. In this scheme, the NIC driver dynam- undertaken with a holistic view of the capa- ically tells the switch which multicast groups bilities of VLAN technology, and the network or VLANs it wants to belong to. Certainly, this designers ask the question, “Who should talk type of distributed VLAN control leverages the to whom?” rather than “Who is talking to increasing processing power of the desktop whom?,” it may become apparent that funda- and enables a higher degree of other, related mental process and organizational changes are functionality such as automatic VLAN config- needed. Many organizations are making such uration and traffic monitoring. In addition, changes: trends such as flatter hierarchies, agents residing in each NIC will enable the revamped workflows, and innovative business workstation to collect and report information models are helping to fully leverage the possi- on specific application usage (rather than just bilities of emerging applications. simple layer 2 traffic statistics in the case of RMON1). This capability facilitates the Conclusion automated chargeback for network services The concept of service-based VLAN tech- described earlier for service-based VLANs. nology holds the potential for harmonizing If individual users control VLAN mem- many of today’s organizational and managerial bership, what about security? Clearly, users changes with the structural and technological cannot be allowed to simply subscribe to any developments in the network. Despite the network service they wish. The network promise of this vision, VLAN implementation administrator must be able to establish policies must solve real-world problems in order to be that define which users have access to what financially justified. Organizations that have resources and what class of service each user is deployed or are planning to deploy large entitled to. One solution to the security numbers of switch ports, dividing the network problem may come in the form of an authenti- into smaller segments to increase bandwidth cation server. These servers may well develop per user, can make a very strong case for into the primary method by which the VLANs VLAN implementation in order to contain of the future are defined. Authentication broadcasts. However, any organization that servers define VLAN membership by user ID expends substantial resources dealing with (password or other authentication device) moves and changes in the network may also be rather than by MAC address or IP address. able to justify VLAN implementation. This is Defining VLANs in this way greatly increases simply because VLANs, if implemented as flexibility and also implies a certain level of part of a strategic solution, may be able to sub- integration of VLANs with the network stantially reduce the cost of dealing with operating system, which typically asks the user moves and changes. For these organizations, for a password anyway to allow or deny access the switching infrastructure upon which most to network resources. One of the primary VLAN solutions are based can be seen as an advantages of authentication servers is that added, and quite valuable, benefit.

20 AppleTalk is a trademark of Apple Computer. DECnet is a trademark of Digital Equipment Corporation. Lotus Notes is a trademark of Lotus Development Corporation. Windows and Windows NT are trademarks of Microsoft. IPX and NetWare are trademarks of Novell. UNIX is a trademark of UNIX Laboratories. Printed in U.S.A. 200374-001 5/96