Using virtual local area network (VLAN) technology, network architects can segment physical devices into logical subgroups and gain performance and security benefits.
A VLAN is a logical subnet of devices in a broadcast domain, divided by network switches and/or network management software, that can act alone as a separate LAN. Switches that support VLANs give network managers the ability to create flexible virtual network segments separate from the underlying wired or wireless physical topology. VLANs work at the Layer 2 data link layer or at the Layer 3 network layer, depending on the network design. Different network protocols support VLANs. This is particularly the case for Ethernet and WiFi.
Advantages of VLANs
VLANs offer several advantages. But most fundamental is the ability for network managers to move devices from one VLAN to another without having to rewire the network. Another benefit: VLANs help businesses overcome bottlenecks by reducing Layer 2 traffic. VLANs also improve security by limiting which devices can access a particular VLAN. . VLANs can also be used to isolate groups of users. For example, one could create a VLAN to provide guest access to a WiFi network, isolate contractors and other third parties on a resource -constrained subnet. Or, a network manager can create a VLAN for a specific department, such as HR or finance.
History of VLANs
Virtual Local Area Networks (VLANs) have been around for decades. They were invented by W. David Sincoskie in the 1980s while working for Bellcore. After the Bell System broke down in 1982 under antitrust laws, Bell Communications Research (now iconectiv) was founded to create a new company from the assets of New Jersey -based Bell Labs. Better known as Bellcore, this “Baby Bell” recruited most of its previous collaborators from former Bell Labs employees. In 1984, W. David Sincoskie, a former Bell Labs computer engineer, joined Bellcore to work on IP telephony. At Bellcore he implemented the first Ethernet LAN and while looking for a solution to eliminate bottlenecks and increase capacity, Mr. Sincoskie were the first VLANs.
The problem that the computer engineer needs to solve in Ethernet is that this broadcast medium sends a signal from the host to all the devices on the network, which then needs to process the frames received, if they are related or not for the device. This modality creates significant overhead on the CPU of each device, while clogging the network with unnecessary traffic. Also, at that time, there was no proven way to connect multiple Ethernet networks. IP routing is a possible solution, but the downside is that IP routing is slow and expensive. So Sincoskie looked for a fast, inexpensive alternative with low CPU overhead, which led him to transparent bridging. Unfortunately, this approach has created new problems, including making core switches with bottlenecks that limited scalability. W. David Sincoskie invented VLANs to solve the bottleneck problem. His concepts were later included in Ethernet standards, such as the IEEE 802.1Q standard in 1998, which describes the concept of Ethernet VLANs. Later additions to the standard (IEEE 802.1ad IEEE 802.1ah) added other mechanisms, such as nested VLAN tags, to facilitate bridging and improve scalability.
How VLANs work
Without VLANs, broadcast network design issues (congestion, high CPU overhead, poor security) can spread quickly as Ethernet infrastructure equipment, such as hubs and routers, allow managers of the network to create interconnected networks consisting of several physically separated LANs. For example, a company could have a separate LAN for each department and connect them through hubs connected to a centralized Ethernet switch. Traditionally, VLANs are defined at the port level of an Ethernet switch. Switches offer the advantage of allowing the division of the interconnected network into smaller domains, but since they are still broadcast domains, the switch is a bottleneck that limits total capacity.
VLANs give network managers the ability to create virtual domains that group devices that communicate frequently with each other, reducing CPU congestion and overhead, while improving security by of limiting the number of devices that can access a particular VLAN. To manage traffic flowing from one VLAN to another, most networks are designed to pass this traffic to routers. Using network management software, each device in a VLAN is assigned a VLAN ID and assigned to a VLAN group. This means that the devices can be on any physical LAN connected to the switch, but they can be segmented and separated into a VLAN group that works as if it were a physically connected LAN. To move a device from one VLAN to another, the network administrator simply moves the device to another switch port or assigns it to a new VLAN through network management software, depending on the network design.
Static VLAN vs. Dynamic VLAN
Static VLANs are manually configured and port-based, with each port on a switch representing a VLAN. In the case of a static VLAN, when a device connects to a port, it is automatically assigned to this VLAN group. In contrast, dynamic VLANs (sometimes referred to as MAC-based VLANs) rely on a policy server called a “Policy Server” that maintains a database of MAC addresses and the appropriate VLAN for all networked devices. The Policy Server provides VLAN to MAC mapping, allowing users to roam a network and connect to any switch while maintaining the correct VLAN configuration. Dynamic VLANs are highly flexible, but have a downside: for most businesses, the ongoing server maintenance policy for current VLAN-to-MAC mapping is too much manual work to be practical. .
New uses for VLANs
In the 2000s, the virtualization trend gave a central role to the data center. As servers, storage, and workstations were virtualized, new vendors like VMware began to compete with incumbents like Cisco. As virtualized data center infrastructure began to become commonplace, the concept of VLANs was updated to support more complex networks. As Robert Whiteley, an analyst at Forrester Research, explained, “The architecture of the open network must be consistent with the virtualization of servers, storage and workstations. Historically, the network has been in a way the plumbing where everyone rests. .Now, it is becoming a new floor. ”To support virtualized environments, networks have collapsed and boundaries have begun to blur between core and edge, a trend that shows no signs of slowing down. it is possible to use VLANs in other ways.For example, Layer 2 switches can move virtual machines (VMs) from one data center to another, while keeping them on the same VLAN.
How about VXLAN?
As computing resources become virtualized, containerized, and moved to the cloud, network virtualization needs to evolve to keep up. While traditional VLANs will still be used to manage local resources and for use cases such as guest WiFi networks, large cloud networks require newer technologies such as VXLAN. Traditional 802.11Q networks are capable of supporting over 4000 VLANs, but this is not enough in virtualized data centers. The problem is that each VM requires an independent IP and MAC address, which in network gear does not look like multi-tenant VMs on one server, but instead an exponentially larger number of individual servers. . Additionally, because digital transformation affects the entire economy, VM migrations also put pressure on traditional VLANs. To manage live transfers of virtual machines without service interruption, it is necessary that the IP address and the operating state of each virtual machine remain unchanged. However, traditional VLAN technology cannot facilitate live transfers of virtual machines and establish isolation in multi-tenant environments, which can include thousands of tenants or more in large cloud data centers.
To overcome this bottleneck, Cisco, VMware, and Arista Networks have partnered to create a new VXLAN standard that helps manage traffic at the cloud scale. VXLANs rely on encapsulation technology to isolate different VLANs, creating a logical tunnel that connects devices to the VXLAN using MAC-in-UDP encapsulation. This technique creates a Layer 2 over Layer 3 network overlay by encapsulating Ethernet packets into IP packets. In other words, each Layer 2 packet receives a VXLAN header, which is then encapsulated in a UDP IP packet that is sent to the Layer 3 network.
VXLAN-encapsulated packets are routed across the network as IP packets, and VXLAN-enabled switches can support up to 16 million VLANs. To facilitate live transfers of virtual machines, VXLANs create a virtual tunnel between two Layer 2 switches, making a Layer 2 network the underlying. where, but it appears in the infrastructure as if they remain on the same VLAN. As virtualization technology advances, the boundaries between VLANs, VXLANs, and adjacent LAN and WLAN LAN technologies, such as SDN and SD-WAN, will blur. If current trends continue, VLAN capabilities will be increasingly absorbed by other software-defined networking technologies as virtual networks of all types move from manual configuration modes to policy -based adjustments.