In-Depth

Add VROOM with VLANs

Virtual LANs are a good way to speed up your network by grouping users and computers into logical, rather than physical, units. Here’s how they work.

Question: When is a network switch not really a switch?

Answer: When you’ve configured a Virtual LAN. Then it’s a router…sort of.

Don’t worry. Your networking equipment doesn’t need psychotherapy. But in today’s office environments, you may feel like you need some time on the couch after trying to keep up with changing network topologies, new services and applications, and users who demand flexibility and mobility in the use of their computing technology. While there are still LAN environments where every person’s workstation lives in a fixed location and all functionally-similar network users exist in close physical proximity to one another, this is becoming more of an exception than a rule. In this kind of rigid and unchanging network environment, administrators can easily rely on network switches to physically segment a network, isolating and optimizing traffic for individual departments and workgroups.

But what happens when your network gets more complicated than that? How about a department or project team whose members are scattered across different floors of a building or different buildings within a campus environment? At a certain point, network switches become less useful in segmenting traffic, because they only control unicast traffic—traffic sent directly between Workstation A and Workstation B. They do nothing to direct or restrict the flow of broadcast or multicast traffic; and on a large network this can create broadcast storms that can choke even the fattest pipe of available bandwidth. (If you need a refresher on how network packets are transmitted and routed, see the sidebar, “Where VLANs Live in the OSI Model.”)

So what’s the alternative? You can rely on your routers to direct traffic between these geographically-disparate users, but this can create traffic bottlenecks and slowdowns. What we need here is a smarter switch, one that will cut down on broadcast traffic overloads, but still transmits traffic without the overhead of complex routing tables. Enter the Virtual LAN, or VLAN.

VLAN Benefits
As the name suggests, a VLAN allows a group of workstations to communicate with each other as if they were connected to a single LAN, even if they’re physically connected to different segments. VLANs are created and managed by vendor-specific hardware and software utilities; the most common ones coming from 3COM, Cisco and the like. The main benefits of a VLAN include:

 Increased network performance. Because VLANs can segment not only directed traffic, but also multicast and broadcast packets, they can optimize the use of network bandwidth and take some of the pressure off already overworked routers. Grouping your users into VLANs will also help to contain network traffic within each individual VLAN, which will further optimize how your network uses its available bandwidth.

 Flexibility. One of the most attractive VLAN features is that you can control and optimize network traffic based on logical groupings of users and computers, rather than being pigeon-holed into basing traffic management decisions on physical network topology alone.

 Simplified network management. Depending on the specifics of the VLAN implemented, you can create VLANs at the software level, allowing you to quickly and easily modify VLAN configuration and memberships without changing a network’s physical wiring.

VLAN Security Concerns

Even though we’ve talked about some of the neat security tricks that you can play with VLANs, it’s important to keep in mind that Virtual LAN technology was created with network traffic management in mind, not network security. Just like any other part of your network, your VLAN equipment needs to be secured against unauthorized access to both the physical hardware and the software-based administrative utilities. Most switches can be managed with both an in-band and an out-of-band connection, which is essentially the difference between using telnet to connect to a switch over your usual network connection, vs. physically connecting to the switch using a serial port and cable. Becausee anyone gaining access to your switch configurations can wreak havoc on your network traffic, it’s usually best to disable any telnet-based or other in-band management utilities unless absolutely necessary.

You should also keep in mind that VLANs themselves can be subject to a number of network attacks. VLAN tags only identify that a particular packet originated from a particular VLAN; they don’t perform any actual authorization of the sender. And since MAC addresses can be spoofed, an attacker can attempt to flood a misconfigured switch with bogus packets, overloading the switch and causing a denial of service. In the interests of providing “defense in depth” for your network, you need to pay just as much attention to its underlying network infrastructure as you do to OS patches and anti-virus signatures.

—Laura E. Hunter

Membership Has Its Privileges
Take a typical office building where Accounting, Sales and IT staff are scattered between three floors.

Now, rather than using routers to cut down on broadcast traffic, you can create three separate VLANs, one for each department, which will isolate network traffic to only those users who require it. This provides a reasonable compromise between the security and traffic reduction provided by a router and the transmission speeds afforded by relying on switches.

How does the VLAN know who needs to see which traffic? VLAN traffic routing is based on memberships in one or more VLANs, which can be established in one of three ways:

 Port ID. The simplest way to specify VLAN membership is based on the port number on a VLAN-enabled switch into which a particular computer is plugged. Using VLAN management software, you can specify that ports 1-3 correspond to the Accounting VLAN, 4-10 belong to Sales and 11-15 belong to IT. If a user or device moves from one location to another, just reassign the port assignments. This is also done at a software level, rather than forcing you to do any rewiring in your cable closets. (The advantage is that the change, once made on the switch, is invisible to the user.)

 MAC address. You can also administer VLAN memberships on the basis of the hardware address of a network device’s NIC. In this scenario, each VLAN switch maintains a table of each device’s hardware address, along with the VLAN memberships corresponding to that address. This allows for even more flexibility than assigning memberships based on Port ID, since if a device moves from one location to another, you don’t need to change any port ID assignments. The change is transparent to both user and administrator. This technique’s major drawback is that it becomes difficult to assign a device to multiple VLANs—for instance, in the case of a file server that needs to be accessed by all three departments.

 802.1q. The IEEE has established a protocol standard for VLAN implementations, where identifying information is included in the network packets themselves. This creates the most flexibility in creating VLANs and helps create VLANs spanning multiple switches. Your biggest gotcha with this technique rears its head if you’re using legacy networking equipment that doesn’t support “tagged” packets. Before 802.1q’s introduction, the maximum frame size for an Ethernet packet was 1,518 bytes; the 802.1q header created the need to increase that maximum to 1,522. If you’re using older switches or routers that don’t understand 802.1q packets, they might drop any they receive as oversized and invalid. There are also other vendor- or medium-specific protocols that can assist in transmitting VLAN information, including LANE for ATM networks and ISL for Fast Ethernet.

VLAN memberships can also help improve the overall security of your network. By limiting broadcast and multicast traffic to specific ports on VLAN- enabled switches, you help reduce the amount of sensitive network traffic exposed to a malicious packet sniffer. You can also use VLAN memberships to create some interesting security behaviors—for example, you can create a segregated VLAN for any unrecognized MAC addresses, perhaps a VLAN with no access to external or Internet resources. Once you’ve done this, you can quarantine any new or foreign machines there until they can be verified and added to a more functional VLAN.

Where VLANs Live in the OSI Model

In order to really understand how VLANs work, you need to know where they live in the hierarchy of the OSI model. The OSI model creates a common framework for vendors to create and implement networking protocols in a standardized fashion. It creates a logical diagram of how information travels from the physical network cabling until it’s available on the user desktop and back again. It also helps to define how network addressing and communications can take place across hardware and software from many and diverse vendors and manufacturers.

Network information is transmitted at the lowest level of the OSI model, the Physical layer. This is where the actual physical media lives: Ethernet cabling and the like. Information on the Physical layer is expressed in electrical charges, 1s and 0s. From there, the device’s network card takes the information off of the wire and passes it to the Data Link layer. At this point the data is grouped into frames, and each frame has been given a unique identifier based on the MAC address of the originating NIC. Network switches use this MAC information to transmit unicast traffic, but without use of a VLAN they’re unable to filter or reduce broadcast traffic that’s transmitted to every device on a segment.

—Laura E. Hunter

VLAN Implementation
Let’s look at an example of how VLANs can be implemented in a larger environment. Figure 1 shows a diagram of a typical multi-building network campus. In this example, each location is configured as its own physical LAN, with routers separating each LAN from the network backbone.

Sulloooowwwww network traffic
Figure 1. This typical network suffers from slowdowns as traffic passes over the routers. (Click image to view larger version.)

VLAN configuration adds VROOM VROOM VROOM!
Figure 2. The same network as Figure 1, now using VLANs. This network will be much faster. (Click image to view larger version.)

The difficulty is that as new locations are added and the network expands, more routers will be needed to separate broadcast domains from each other. If users in different buildings need to communicate frequently, this can lead to ever-increasing network latency as traffic gets routed from one location to another. But how do you allow VLAN information to traverse a WAN? There are a number of solutions, most of which are vendor-specific. To provide an example of one possibility, let’s assume that our network backbone runs the ATM protocol. We can use the LAN Emulation (or LANE) protocol to allow Layer-2 switching information to be propagated over the network backbone. This will create a network similar to the one shown in Figure 2, which allows even a network of this large size to create logical VLAN groupings for its users. Rather than having each building separated from the backbone by a router, they are now using ATM switches as their edge devices. A single router is used to route traffic between the four switched segments; the router would need to be configured as a member of all four VLANS. In the resultant network topology, users in Subnet 1 would be able to access the AS/400 in VLAN 3 with a minimum of traffic delays, and traffic from the AS/400 can be isolated from any other VLANs that don’t require access to it.

As you can see, using VLAN technology to segment a mid- to large-sized network offers a good way to reduce unnecessary network traffic without creating the traffic slowdowns that can come with implementing complex routing tables. By managing Layer-2 traffic from a logical instead of physical standpoint, you can use the Virtual LAN to manage your users’ traffic routing needs dynamically without being constrained by physical cabling or subnet locations. While most current VLAN technology uses vendor-specific management software, this shouldn’t preclude you from examining its potential to improve performance and security for your Local and Wide Area Networks.

Featured

Subscribe on YouTube