A virtual LAN (VLAN) is a group of hosts or network devices, such as routers (running transparent bridging) and bridges, that forms a single bridging domain. There can be several VLANs defined on a single switch. A VLAN can also span multiple switches. Using layer 2 protocols such as IEEE 802.1q and ISL (Inter-Switch Link) allow a VLAN to span across multiple switches. VLANs are formed to group related users together regardless of the physical connections of their hosts to the network. The users can be spread across a campus network or even across geographically isolated locations. Users can be organized into separate VLANs according to their department, location, function, application, address (logical or physical), or protocol used. The goal with VLANs is to group users into separate VLANs so their traffic will stay within the VLAN. When you configure VLANs, the network can take advantage of the following benefits:
Benefits of using VLANs
- Broadcast Control - Just as switches physically isolate collision domains for attached hosts and only forward traffic out a particular port, VLANs refine this concept further and provide complete isolation between VLANs. A VLAN is a bridging domain, and all broadcast and multicast traffic is contained within it.
- Security - VLANs provide security in two ways:
- High-security users can be grouped into a VLAN, possibly on the same physical segment, and no users outside of that VLAN can communicate with them.
- Because VLANs are logical groups that behave like physically separate entities, inter-VLAN communication can only be achieved through a router. When inter-VLAN communication occurs through a router, all the security and filtering functionality that routers traditionally provide can be used. In the case of nonroutable protocols, there can be no inter-VLAN communication. All communication must occur within the same VLAN.
- Performance - You can isolate users that require high performance networks for bandwidth intensive projects, VLANs can isolate them and the rest of the network from each other.
- Network Management - Software on the switch allows you to assign users to VLANs and, later, reassign them to another VLAN. Recabling to change connectivity is no longer necessary in the switched LAN environment because network management tools allow you to reconfigure the LAN logically in seconds.
Routers by default only send broadcasts within the originating network, but switches forward them to all segments. This is known as a flat network because it's one big broadcast domain. Switches and VLANs are used to replace the flat network. All members of a VLAN are in the same broadcast domain and receive all broadcasts. By default the broadcasts are filtered from all ports on a switch that aren't in the same VLAN. Routers, layer 3 switches, or Route Switch Modules (RSM) must be used in conjunction with switches to provide connections between networks (VLANs), which can stop broadcasts from propagating throughout the entire internetwork.
VLAN Organizations
A traditional collapsed backbone consists of a router with separate networks attached to its interfaces. Each node attached to the physical network need to have the same network number in order to communicate on the internetwork. On switches you can group users into communities of interest called VLAN Organizations. In a VLAN, network nodes of each VLAN can communicate with other nodes in the same VLAN, the nodes in one VLAN need to go through a router or other layer 3 device in order to communicate with other VLANs.
VLAN Memberships
VLANs are usually created by administrators who assign switch ports to VLANs. These are called static VLANs. Dynamic VLANs are configured by assigning all the host devices' hardware addresses into a database.
Static VLAN
Static VLANs are the typical method of creating VLANs and are the most secure. The switch port you assign a VLAN association to always maintains that association until an administrator changes the port assignment.
Dynamic VLAN
Dynamic VLANs determine a node's VLAN assignment automatically. Using intelligent management software, you can enable MAC addresses, protocols, or even applications to create dynamic VLANs. For example, if the MAC address is in a centralized database, and if it connects to a switch port, the VLAN management database can lookup the address and configure the port for the correct VLAN. If the user moves, the switch will automatically assign them to their correct VLAN.
0 comments:
Post a Comment