A decade ago, a simple switch was something that only large companies with big budgets could afford, while the...
rest with tight budgets were left with hubs as their only affordable solution to interconnect their local networks.
Since then, it is certainly clear that a lot has changed in the IT area, where new products and enhancements are constantly making an appearance, trying to steal network engineers', managers' and administrators' hearts by making their life easier -- increasing network efficiency, redundancy and, most importantly, security.
The popular hubs that cost a fortune back in the day are easily obtainable today for only a few dollars, while switches have taken their place in most small to large networks.
The manual factoring costs of switches have dropped, and their demand in the marketplace continues to increase each day. This has made room for newer, smarter and more reliable switches, packed with features we could only dream of a few years back.
One of the most popular features today's switches incorporate is virtual local area network (VLAN) support. VLANs are considered a new trend in the IT industry -- one that has brought switches to the next level by eliminating the need for routers in most situations. This undoubtedly lowers the costs associated with partitioning networks in order to increase network security, efficiency and availability.
What exactly are VLANs?
VLANs were created in order to allow IT professionals to partition their networks physically and logically without the need to run new cables or to make major changes in their current network infrastructure. This consequently would increase network security and performance.
A switch that supports VLANs will allow the administrator to select which ports will participate in the VLAN. These ports are then grouped to become one VLAN, and any broadcasts or information passed among these ports will not be seen by the remaining ports on the switch.
For example, if we took a 24 port switch that supported VLANs and assigned the first 12 ports (port 1 to 12) to VLAN1, and the rest of the ports (13 to 24) to VLAN2, we would effectively have two separate networks that are unable to communicate between each other, by simply using one switch!
In the past, to achieve the same result, we would need to buy two separate switches and connect each host to the appropriate switch. As you can see, we are now able to create separate networks and workgroups with a click of a mouse!
There are multiple methods for establishing VLAN membership. A VLAN can be assigned statically or dynamically. The most common type is the static membership that is sometimes called "port-based" membership. This happens to be the method we described in the previous section, where a VLAN membership is determined by the port on the switch and not by the host. The port will stay assigned to the VLAN until the network administrator reassigns it to another VLAN.
This method proves very useful and is preferred in network environments where the network setup doesn't change frequently.
The second method is dynamically assigned VLANs, where the VLAN membership is based on the host's MAC address. With this method, the network administrator is required to create a database and populate it with the appropriate MAC address to VLAN mappings. The server that contains this database is referred to as the VLAN membership policy server, or VMPS.
This particular setup is used in networks where users tend to move frequently between floors or buildings. A prime example would be a group or department consisting of mobile users that require access to data stored on a particular file server or simply need to share information between each other.
As we mentioned, VLANs are unable to communicate between each other, even when they exist on the same switch. This means that if we require our VLANs to communicate, they must pass through a router of some type. Each VLAN is required to have at least one gateway that will route packets in and out of the network.
So what happens when one switch simply does not have enough ports to service all participating VLAN members? Do you throw the switch away and buy a new one with increased capacity or is there an alternative? Luckily this problem has already been thought of and there is a readily available solution.
All VLAN-capable switches support what we call VLAN trunking. This allows us to cascade multiple switches using a special dedicated port that will interconnect them to each other. This port then becomes a dedicated path for each VLAN between the switches so that traffic can flow from one device to another in the switched environment.
If, for example, you have three different VLANs among three switches, then you need three links or ports, one between each switch set aside to handle the switch-to-switch traffic. This port is similar to the "uplink" port most hubs and switches incorporate and operates at speeds of 100 Mbps.
The process of connecting these links together is called "trunking." The port used as a trunk becomes a member of all configured VLANs. So if we happen to have three VLANs among our switches, the trunking port of each switch is a member of all three VLANs.
When data is passed through one of the trunks, it is encapsulated in a special frame and tagged depending on which VLAN the data is designated. This process is call VLAN tagging. The tag will be removed right before the data exits the designated port to which the packet is directed.
For example, Host A is a member of VLAN2 on switch No.2. He sends a frame to Host C, who happens to be a member of the same VLAN but resides on switch No.3. As the frame moves between the two switches, it is tagged with the VLAN ID (in this case it will be ID2), passed through the trunk that connects the two switches, and will eventually exit switch No.3 at the port to which Host C is directly connected. The VLAN information is also stripped from the frame so Host C will not receive any VLAN information. The whole process is totally transparent to the devices or hosts connected to the switches.
Currently, there are four different methods of "tagging" a frame. They depend on the topology and WAN protocols used to interconnect switches and networks.
Cisco switches use primarily Inter Switch Link (ISL). This is a proprietary technology from Cisco and was designed well before the Ethernet switching trunking standards were created. IEEE 802.1q standard is today's industry adopted method for tagging VLANs and is found in every other vendor's switch. Cisco switches support both of the above methods.
The last two methods for VLAN tagging are LAN emulation (LANE), used in ATM environments, and the use of the Security Association Identifier (SAID) field in IEEE 802.10 Fiber Distributed Data Interface (FDDI) networks. SAID, again, is proprietary technology from Cisco.
Virtual Trunk Protocol
When a switch is configured to support a VLAN, it creates a database of all known VLANs. Since all switches participating in a VLAN need to have the same view of the network and its available VLANs, there needs to be some way to share and update their databases. This is where the Virtual Trunk Protocol (VTP) comes into the picture.
The VTP protocol is used to manage the addition, deletion and modification of VLANs in a network. It will send its updates across VLAN1, the management VLAN, and ensure that all switches are up to date.
VTP works much like a routing protocol by sending updates and messages through the trunk links every five minutes, or whenever a change in the network occurs. These advertisements contain the domain of which the VTP protocol is a part, configuration revision number (much like the DNS serial number contained in each zone), and all VLAN parameters.
There are three modes in which VTP can operate: server, client and transparent.
- Server mode is the default for most Cisco switches. All changes made to the configured VLANs are stored in the switch's NVRAM.
- In VTP client mode, users are not allowed to create or delete VLANs. The switch will still propagate any changes made in the VLAN network but will not save it to its NVRAM. This also means that when the switch boots up in this mode, it will issue a request for a list of VLANs from a VTP server switch.
- The last mode, VTP transparent, will make the switch ignore all advertisements it receives from other switches and also allow users to create and delete VLANs. All changes are saved locally in NVRAM and the switch will never respond to any request it might receive from other switches.
Chris Partsenidis is the founder and senior editor of Firewall.cx -- a website he created to help the IT community benefit from his networking knowledge. Today, Firewall.cx has become a respected Web site that attracts over 24,000 visitors per month. Chris also answers network administration questions in our Ask-the-Expert section. He's available to assist you with numerous networking solutions, from hardware and software, to protocols, and network setup. Submit a question to Chris here or view his previously answered Ask-the-Expert questions.