on 06/07/2022, by Jeff Vance, IDG NS (adapted by Jean Elyan), Networks, 1793 words
Using virtual local area network (VLAN) technology, network architects can segment physical devices into logical subgroups and gain performance and security benefits.
A VLAN is a logical subnet of devices in a broadcast domain, divided by network switches and/or network management software, that can act as a separate LAN on its own. Switches that support VLANs give network managers the ability to create flexible virtual network segments separate from the underlying wired or wireless physical topology. VLANs work at the Layer 2 data link layer or at the Layer 3 network layer, depending on the network design. Various network protocols support VLANs. This is particularly the case for Ethernet and WiFi.
Advantages of VLANs
VLANs offer several advantages. But most fundamental is the ability for network managers to move devices from one VLAN to another without having to rewire the network. Another benefit: VLANs help businesses overcome bottlenecks by reducing Layer 2 traffic. VLANs also improve security by limiting the devices that can access a particular VLAN. . VLANs can also be used to isolate groups of users. For example, a VLAN can be made to provide guest access to a WiFi network, isolating contractors and other third parties on a resource constrained subnet. Or, a network manager can create a VLAN for a specific department, such as HR or finance.
History of VLANs
Virtual Local Area Networks (VLANs) have been around for decades. They were invented by W. David Sincoskie in the 1980s while working for Bellcore. After the Bell System broke down in 1982 under antitrust laws, Bell Communications Research (now iconectiv) was founded to create a new company from the assets of New Jersey -based Bell Labs. Better known as Bellcore, this Baby Bell recruited most of its previous collaborators from former Bell Labs employees. In 1984, W. David Sincoskie, a former Bell Labs computer engineer, joined Bellcore to work on IP telephony. Bellcore implemented the first Ethernet LAN and while looking for a solution to eliminate bottlenecks and increase capacity, Mr. Sincoskie were the first VLANs.
The problem that the computer engineer needs to solve about Ethernet is that this broadcast medium sends a host signal to all devices on the network, which then has to process the frames received, whether they are relevant or not. not for the device. This modality puts huge overhead on the CPU of each device, while clogging the network with unnecessary traffic. Also, at that time, there was no proven way to connect multiple Ethernet networks. IP routing is a possible solution, but the downside is that IP routing is slow and expensive. So Sincoskie looked for a fast, inexpensive alternative with low CPU overhead, which led him to transparent bridging. Unfortunately, this approach has created new problems, including making core switches with bottlenecks that limited scalability. W. David Sincoskie invented VLANs to solve the bottleneck problem. His concepts were later included in Ethernet standards, such as the IEEE 802.1Q standard in 1998, which describes the concept of Ethernet VLANs. Later additions to the standard (IEEE 802.1ad IEEE 802.1ah) added other mechanisms, such as nested VLAN tags, to facilitate bridging and improve scalability.
How VLANs work
Without VLANs, broadcast network design problems (congestion, high CPU overhead, poor security) can spread quickly as Ethernet infrastructure devices, such as hubs and routers, allow network managers who create interconnected networks consisting of several physically separate LANs. For example, a company could have a separate LAN for each department and connect them through hubs connected to a centralized Ethernet switch. Traditionally, VLANs are defined at the port level of an Ethernet switch. Switches have the advantage of allowing the interconnected network to split into smaller domains, but since they are still broadcast domains, the switch is a bottleneck that limits total capacity.
VLANs give network managers the ability to create virtual domains that bring together devices that communicate frequently with each other, reducing CPU congestion and overhead, while improving security by of limiting the number of devices that can access a given VLAN. To handle traffic flowing from one VLAN to another, most networks are designed to pass this traffic from routers. Using network management software, each device in a VLAN is assigned a VLAN ID and assigned to a VLAN group. This means that the devices can be on any physical LAN connected to the switch, but they can be segmented and separated into a VLAN group that works as if it were a physically connected LAN. To move a device from one VLAN to another, the network administrator simply moves the device to another switch port or assigns it to a new VLAN through network management software, depending on the network design.
Static VLAN vs. Dynamic VLAN
Static VLANs are manually configured and port-based, with each port on a switch representing a VLAN. In the case of a static VLAN, when a device connects to a port, it is automatically assigned to this VLAN group. In contrast, dynamic VLANs (sometimes MAC-based VLAN calls) rely on a policy server called the Policy Server that maintains a database of MAC addresses and the appropriate VLAN for everything networked. on the device. The Policy Server provides VLAN with MAC mapping, which allows users to roam a network and connect to any switch while maintaining the correct VLAN configuration. Dynamic VLANs are highly flexible, but there is a downside: for most businesses, continuing to maintain the server policy for current MAC VLAN mapping is too much manual work to be practical.
New uses for VLANs
In the 2000s, the virtualization trend gave a central role to the data center. As servers, storage, and desktops were virtualized, new vendors like VMware began to compete with existing vendors like Cisco. As virtualized data center infrastructure began to become commonplace, the concept of VLANs was updated to support more complex networks. As Robert Whiteley, analyst at Forrester Research, explained, open network architecture should be at the stage of virtualization of servers, storage and workstations. Historically, the network has been like a pipe on which everything depends. Now it becomes a new floor. To support virtualized environments, networks have collapsed and boundaries have begun to blur between core and edge, a trend that shows no signs of slowing down. Therefore, it is possible to use VLANs in other ways. For example, Layer 2 switches can move virtual machines (VMs) from one data center to another, while keeping them on the same VLAN.
How about VXLAN?
As computing resources become increasingly virtualized, containerized, and moved to the cloud, network virtualization needs to evolve to keep pace. While traditional VLANs will still be used to manage local resources and for use cases such as guest WiFi networks, large cloud networks require newer technologies such as VXLAN. Traditional 802.11Q networks are capable of supporting over 4000 VLANs, but this is not enough in virtualized data centers. The problem is that each VM requires an independent IP and MAC address, which in networking gear does not look like a multi-tenant VM on one server, but rather more individual servers. Additionally, because digital transformation affects the entire economy, VM migrations also put pressure on traditional VLANs. To manage live transfers of virtual machines without service interruption, the IP address and the operating state of each virtual machine must remain unchanged. However, traditional VLAN technology cannot facilitate live transfers of virtual machines and establish isolation in multi-tenant environments, which can include thousands of tenants or more in large cloud data centers.
To overcome this bottleneck, Cisco, VMware, and Arista Networks have partnered to create a new VXLAN standard that helps manage traffic at the cloud scale. VXLANs use encapsulation technology to isolate different VLANs, creating a logical tunnel that connects devices to the VXLAN using MAC-in-UDP encapsulation. This technique creates a Layer 2 over Layer 3 network overlay by encapsulating Ethernet packets into IP packets. In other words, each Layer 2 packet receives a VXLAN header, which is then encapsulated in a UDP IP packet that is sent to the Layer 3 network.
Packets encapsulated in VXLAN are routed to the network as IP packets, and VXLAN-enabled switches can support up to 16 million VLANs. To facilitate live transfers of virtual machines, VXLANs create a virtual tunnel between two Layer 2 switches, making a single Layer 2 network the underlying. or, but the infrastructure appears as if they remain on the same VLAN. As virtualization technology advances, the boundaries between VLANs, VXLANs, and adjacent LAN and WLAN LAN technologies, such as SDN and SD-WAN, will blur. If current trends continue, VLAN capabilities will be increasingly absorbed by other software-defined networking technologies as virtual networks of all types move from manual configuration modes to policy -based adjustments.