Technology Update

VLAN Explained

What is a VLAN?
A VLAN is a switched network that is logically segmented on a functional basis, instead of an
actual physical basis. For example, all nodes used by a particular workgroup team can be
connected to the same VLAN, regardless of their physical connections to the network. This
concept may be extended to not only to the nodes but also the traffic types supported including
user traffic, signalling and network management. What is more as the links are virtual
reconfiguration of the network can be done through software rather than by physically unplugging
and moving devices or wires.
Router

Switch 1

VLAN A

Trunks

VLAN D

Switch 2

VLAN B

VLAN C

VLAN A

In the diagram switch 1 supports two VLAN and switch 2 supports 3 VLAN. On switch 1, VLAN A
and VLAN B are sent through a single port, a process termed trunking, to the router and if
necessary through another port to the switch 2. VLAN A, VLAN C and VLAN D are trunked from
switch 2 to switch 1, and through the first switch to the router. The trunk link from the first switch to
the router can carry all four VLAN. The nodes on each VLAN can communicate with each other via
the trunking connection between the two switches using the router. For example, data from a node
on VLAN A that needs to get to a node on VLAN B (or VLAN C or VLAN D) must travel from the
switch to the router and back again to the switch. Because of the transparent bridging algorithm
and trunking, both nodes and the router think that they are on the same physical segment.
Trunking may also be used to overcome bottlenecks at certain points in the network. These occur
at points such as file serves or other main functional nodes within the network. For example of 10
nodes each with a 100Mbps connection to the switch are interfacing with a server occupying a
1Gbps interface then these nodes would quickly saturate the interface to the server. Hence just as
trunking may be used to logically group VLAN onto the same physical interface; they may also be
used to extend a VLAN over several physical interfaces. In this case for instance four gigabit ports
could be allocated to the VLAN so overcoming the bottle neck.

Why VLAN
Diverse Layer 2 Technologies - nodes may be grouped independently of the Layer 2
technology they are connecting to. These include ATM, FDDI, and Fast Ethernet.
Network Management and Configuration - administrators can react quickly to relocations and
keep up with constant changes in the network due to node relocation just by changing the
VLAN member list in the router configuration.

mpirical limited 2007

www.mpirical.com

Technology Update
Performance improvements - Broadcasts pass through the NIC card on each and every node
within the broadcast domain. The host CPU has to examine the MAC layer broadcast to see if
it is of interest. As VLAN limit the broadcast domain the amount of broadcast traffic that must
be process by a node is drastically reduced.
Privacy - only nodes on the same VLAN may see traffic for this VLAN. That is switches will only
pass the traffic out of ports identified for that VLAN. This however does not mean that other
security features should not be employed as a simple network probe on a trunk can read all
traffic on the trunk.

VLAN Tagging
The IEEE 802.1Q specification establishes a standard method for tagging Ethernet frames with
VLAN membership information. The key for the IEEE 802.1Q to perform the above functions
requires tags. 802.1Q compliant switch ports can be configured to transmit tagged or untagged
frames. A tag field containing VLAN (and or 802.1P priority) information can be inserted into an
Ethernet frame. If a port has an 802.1Q compliant device attached such as another switch, these
tagged frames can carry VLAN membership information between switches, thus letting a VLAN
span multiple switches.

IEEE 802.1Q Frame Format

Tag Protocol Identifier - this is set to 8100 to inform receivers that this frame is part of a VLAN.
User Priority - this 3 bit field represents CoS (Class of Service) at the Data Link layer and may
reflect the DSCP (Differentiated Services Code Point) value of the higher layer IP datagram.
Ultimately, the User Priority field helps to improve QoS.
CFI (Canonical Format Indicator) - this is used to indicate the presence of a E-RIF (Embedded
Routing Information Field). The E-RIF can be included within the frame to support
interconnection with other MAC layer technologies.
VID - this is a 12 bit value used to identify an Ethernet frame as belonging to a particular VLAN.
All devices generating traffic for the same VLAN will utilize the same VID value.
Ethernet
Header

Tag Protocol Tag Control

Identifier
Information

User Priority CFI

3bits

1bit

Ethernet Payload and

Framing

Tag Control Information

(VID)
12bits

IEE 802.1P Priority Traffic

Network applications that require different transport characteristics such as voice and video and
file data etc used to require separate dedicated bandwidth to ensure the required quality of service
levels were available. This traffic, within the same VLAN is controlled using IEEE 802.1P to define
up to eight traffic classes. Based on these classes intervening switches and routers prioritise the
traffic accordingly. What is more rate limiting to ensure high volume data does not swamp the rest
of the network can also be invoked. For instance, video traffic generated by a video conference
session can be rate limited to the speed at which the receiving station can receive and process the
video stream.

Next Month!
IP Network Security

mpirical limited 2007

www.mpirical.com