Add VROOM with VLANs
Virtual LANs are a good way to speed up your network by grouping users and
computers into logical, rather than physical, units. Here’s how they work.
Question: When is a network switch not
really a switch?
Answer: When you’ve configured a Virtual
LAN. Then it’s a router…sort of.
Don’t worry. Your networking equipment doesn’t need psychotherapy. But in today’s office environments, you may feel like you need some time on the couch after trying to keep up with changing network topologies, new services and applications, and users who demand flexibility and mobility in the use of their computing technology. While there are still LAN environments where every person’s workstation lives in a fixed location and all functionally-similar network users exist in close physical proximity to one another, this is becoming more of an exception than a rule. In this kind of rigid and unchanging network environment, administrators can easily rely on network switches to physically segment a network, isolating and optimizing traffic for individual departments and workgroups.
But what happens when your network gets more complicated than that? How about a department or project team whose members are scattered across different floors of a building or different buildings within a campus environment? At a certain point, network switches become less useful in segmenting traffic, because they only control unicast traffic—traffic sent directly between Workstation A and Workstation B. They do nothing to direct or restrict the flow of broadcast or multicast traffic; and on a large network this can create broadcast storms that can choke even the fattest pipe of available bandwidth. (If you need a refresher on how network packets are transmitted and routed, see the sidebar, “Where VLANs Live in the OSI Model.”)
So what’s the alternative? You can rely on your routers to direct traffic
between these geographically-disparate users, but this can create traffic
bottlenecks and slowdowns. What we need here is a smarter switch, one
that will cut down on broadcast traffic overloads, but still transmits
traffic without the overhead of complex routing tables. Enter the Virtual
LAN, or VLAN.
As the name suggests, a VLAN allows a group of workstations to communicate
with each other as if they were connected to a single LAN, even if they’re
physically connected to different segments. VLANs are created and managed
by vendor-specific hardware and software utilities; the most common ones
coming from 3COM, Cisco and the like. The main benefits of a VLAN include:
Increased network performance. Because VLANs can segment not
only directed traffic, but also multicast and broadcast packets, they
can optimize the use of network bandwidth and take some of the pressure
off already overworked routers. Grouping your users into VLANs will also
help to contain network traffic within each individual VLAN, which will
further optimize how your network uses its available bandwidth.
Flexibility. One of the most attractive VLAN features is that
you can control and optimize network traffic based on logical groupings
of users and computers, rather than being pigeon-holed into basing traffic
management decisions on physical network topology alone.
Simplified network management. Depending on the specifics of
the VLAN implemented, you can create VLANs at the software level, allowing
you to quickly and easily modify VLAN configuration and memberships without
changing a network’s physical wiring.
Even though we’ve talked about some of
the neat security tricks that you can play with VLANs,
it’s important to keep in mind that Virtual LAN technology
was created with network traffic management in mind,
not network security. Just like any other part of your
network, your VLAN equipment needs to be secured against
unauthorized access to both the physical hardware and
the software-based administrative utilities. Most switches
can be managed with both an in-band and an out-of-band
connection, which is essentially the difference between
using telnet to connect to a switch over your usual
network connection, vs. physically connecting to the
switch using a serial port and cable. Becausee anyone
gaining access to your switch configurations can wreak
havoc on your network traffic, it’s usually best to
disable any telnet-based or other in-band management
utilities unless absolutely necessary.
You should also keep in mind that VLANs themselves
can be subject to a number of network attacks. VLAN
tags only identify that a particular packet originated
from a particular VLAN; they don’t perform any actual
authorization of the sender. And since MAC addresses
can be spoofed, an attacker can attempt to flood a misconfigured
switch with bogus packets, overloading the switch and
causing a denial of service. In the interests of providing
“defense in depth” for your network, you need to pay
just as much attention to its underlying network infrastructure
as you do to OS patches and anti-virus signatures.
—Laura E. Hunter
Membership Has Its Privileges
Take a typical office building where Accounting, Sales and IT staff are
scattered between three floors.
Now, rather than using routers to cut down on broadcast traffic, you can create three separate VLANs, one for each department, which will isolate network traffic to only those users who require it. This provides a reasonable compromise between the security and traffic reduction provided by a router and the transmission speeds afforded by relying on switches.
How does the VLAN know who needs to see which traffic? VLAN traffic routing is based on memberships in one or more VLANs, which can be established in one of three ways:
Port ID. The simplest way to specify VLAN membership is based
on the port number on a VLAN-enabled switch into which a particular computer
is plugged. Using VLAN management software, you can specify that ports
1-3 correspond to the Accounting VLAN, 4-10 belong to Sales and 11-15
belong to IT. If a user or device moves from one location to another,
just reassign the port assignments. This is also done at a software level,
rather than forcing you to do any rewiring in your cable closets. (The
advantage is that the change, once made on the switch, is invisible to
MAC address. You can also administer VLAN memberships on the
basis of the hardware address of a network device’s NIC. In this scenario,
each VLAN switch maintains a table of each device’s hardware address,
along with the VLAN memberships corresponding to that address. This allows
for even more flexibility than assigning memberships based on Port ID,
since if a device moves from one location to another, you don’t need to
change any port ID assignments. The change is transparent to both user
and administrator. This technique’s major drawback is that it becomes
difficult to assign a device to multiple VLANs—for instance, in the case
of a file server that needs to be accessed by all three departments.
802.1q. The IEEE has established a protocol standard for VLAN
implementations, where identifying information is included in the network
packets themselves. This creates the most flexibility in creating VLANs
and helps create VLANs spanning multiple switches. Your biggest gotcha
with this technique rears its head if you’re using legacy networking equipment
that doesn’t support “tagged” packets. Before 802.1q’s introduction, the
maximum frame size for an Ethernet packet was 1,518 bytes; the 802.1q
header created the need to increase that maximum to 1,522. If you’re using
older switches or routers that don’t understand 802.1q packets, they might
drop any they receive as oversized and invalid. There are also other vendor-
or medium-specific protocols that can assist in transmitting VLAN information,
including LANE for ATM networks and ISL for Fast Ethernet.
VLAN memberships can also help improve the overall security of your network.
By limiting broadcast and multicast traffic to specific ports on VLAN-
enabled switches, you help reduce the amount of sensitive network traffic
exposed to a malicious packet sniffer. You can also use VLAN memberships
to create some interesting security behaviors—for example, you can create
a segregated VLAN for any unrecognized MAC addresses, perhaps a VLAN with
no access to external or Internet resources. Once you’ve done this, you
can quarantine any new or foreign machines there until they can be verified
and added to a more functional VLAN.
VLANs Live in the OSI Model
In order to really understand how VLANs
work, you need to know where they live in the hierarchy
of the OSI model. The OSI model creates a common framework
for vendors to create and implement networking protocols
in a standardized fashion. It creates a logical diagram
of how information travels from the physical network
cabling until it’s available on the user desktop and
back again. It also helps to define how network addressing
and communications can take place across hardware and
software from many and diverse vendors and manufacturers.
Network information is transmitted at the lowest level
of the OSI model, the Physical layer. This is where
the actual physical media lives: Ethernet cabling and
the like. Information on the Physical layer is expressed
in electrical charges, 1s and 0s. From there, the device’s
network card takes the information off of the wire and
passes it to the Data Link layer. At this point the
data is grouped into frames, and each frame has been
given a unique identifier based on the MAC address of
the originating NIC. Network switches use this MAC information
to transmit unicast traffic, but without use of a VLAN
they’re unable to filter or reduce broadcast traffic
that’s transmitted to every device on a segment.
—Laura E. Hunter
Let’s look at an example of how VLANs can be implemented in a larger environment.
Figure 1 shows a diagram of a typical multi-building network campus. In
this example, each location is configured as its own physical LAN, with
routers separating each LAN from the network backbone.
|Figure 1. This typical network suffers from slowdowns
as traffic passes over the routers. (Click image to view larger
|Figure 2. The same network as Figure 1, now using
VLANs. This network will be much faster. (Click image to view larger
The difficulty is that as new locations are added and the network expands, more routers will be needed to separate broadcast domains from each other. If users in different buildings need to communicate frequently, this can lead to ever-increasing network latency as traffic gets routed from one location to another. But how do you allow VLAN information to traverse a WAN? There are a number of solutions, most of which are vendor-specific. To provide an example of one possibility, let’s assume that our network backbone runs the ATM protocol. We can use the LAN Emulation (or LANE) protocol to allow Layer-2 switching information to be propagated over the network backbone. This will create a network similar to the one shown in Figure 2, which allows even a network of this large size to create logical VLAN groupings for its users. Rather than having each building separated from the backbone by a router, they are now using ATM switches as their edge devices. A single router is used to route traffic between the four switched segments; the router would need to be configured as a member of all four VLANS. In the resultant network topology, users in Subnet 1 would be able to access the AS/400 in VLAN 3 with a minimum of traffic delays, and traffic from the AS/400 can be isolated from any other VLANs that don’t require access to it.
As you can see, using VLAN technology to segment a mid- to large-sized
network offers a good way to reduce unnecessary network traffic without
creating the traffic slowdowns that can come with implementing complex
routing tables. By managing Layer-2 traffic from a logical instead of
physical standpoint, you can use the Virtual LAN to manage your users’
traffic routing needs dynamically without being constrained by physical
cabling or subnet locations. While most current VLAN technology uses vendor-specific
management software, this shouldn’t preclude you from examining its potential
to improve performance and security for your Local and Wide Area Networks.