What is a VLAN and how does it work?


A VLAN is a logical subnetwork of devices in a broadcast domain that is partitioned by network switches and/or network management software to act as its own distinct LAN. Switches that support VLANs give network managers the ability to create flexible virtual network segments that are independent of the underlying physical wired or wireless topology.

VLANs operate at either Layer 2 (data-link layer) or Layer 3 (network layer), depending on the design of the network. Several different network protocols support VLANs, most notably Ethernet and Wi-Fi.

What are the benefits of VLANs?

VLANs deliver several benefits. The most basic advantage is that devices can be moved from one VLAN to another without network managers having to rewire the network. Another advantage is that VLANs help organizations overcome bottlenecks by reducing Layer 2 traffic. VLANs also boost security by limiting the devices that are able to access any given VLAN.

VLANs can also be used to isolate user groups. For instance, a VLAN can be created to provide guest access on a Wi-Fi network, isolating contractors and other third parties to a subnet with limited resources. Or a network manager could create a VLAN for a particular department, such as HR or finance.

The history of VLANs

Virtual local area networks (VLANs) have been around for decades, invented by W. David Sincoskie in the 1980s while at Bellcore. After the 1982 antitrust breakup of the Bell System, Bell Communications Research (now iconectiv) was established to create a new company out of the northern New Jersey Bell Labs assets. More commonly known by its nickname Bellcore, this “Baby Bell” attracted most of its early staff from the pool of former Bell Labs employees.

In 1984, Sincoskie, a former Bell Labs computer engineer, joined Bellcore to work on IP telephony. Sincoskie set up the first Ethernet LAN at Bellcore, and, trying to figure out how to break through bottlenecks to scale up capacity, Sincoskie developed the first VLANs.

The problem Sincoskie faced was that Ethernet is a broadcast medium in which the signal from the host is broadcast to all networked devices, which then must process the received frames, whether relevant to the device or not. This results in high CPU overhead per device, while also clogging the network with unnecessary traffic.

Moreover, at the time, there was no proven way to connect multiple Ethernet networks. IP routing was one possible solution, but the drawback was that IP routing was slow and expensive.

Sincoskie sought a cheap, fast alternative with low CPU overhead, which led him to transparent bridging. Unfortunately, this approach created new problems, namely turning central switches into bottlenecks that limited scalability.

Sincoskie invented VLANs to overcome the bottleneck issue. His concepts were eventually included in Ethernet standards, such as IEEE 802.1Q in 1998, which outlined the concept of the Ethernet VLAN. Later additions to the standard (IEEE 802.1ad IEEE 802.1ah) added mechanisms, such as nested VLAN tags, to facilitate easier bridging and improve scalability.

How do VLANs work?

Without VLANs, issues associated with the design of broadcast networks (congestion, high CPU overhead, poor security) can metastasize quickly because Ethernet infrastructure gear, such as hubs and routers, enable network managers to create interconnected networks made up of multiple physically separate LANs. For example, a business may have a separate LAN for each department and link them together with hubs connected to a centralized Ethernet switch.

Traditionally, VLANs are defined at the port-level of an Ethernet switch. Switches offer the benefit of allowing the interconnected network to be partitioned into smaller domains, but since these are all still broadcast domains, the switch serves as a bottleneck that limits overall capacity.

VLANs give network managers the ability to create virtual domains that lump together devices that frequently communicate with one another, reducing congestion and CPU overhead, while also improving security by limiting the number of devices that may access any given VLAN. To handle traffic going from one VLAN to another, most networks are designed to pass that traffic off to routers.

Through network management software, each device in a VLAN is given a VLAN ID and assigned to a VLAN group. This means that devices can be in any of the physical LANs connected to the switch, yet they may be segmented and isolated into a VLAN group that functions as if it were a physically connected LAN.

To move a device from one VLAN to another, a network administrator simply moves the device to a different port on the switch or assigns it to a new VLAN through network management software, depending on the design of the network.

Static vs. dynamic VLANs

Static VLANs are manually configured and port-based with each port on a switch representing a VLAN. In a static VLAN, when a device connects to a port, it is automatically assigned to that VLAN group.

In contrast, dynamic VLANs (sometimes called MAC-based VLANs) rely on a policy server that maintains a database of MAC addresses and the appropriate VLAN for all networked devices. The policy server provides VLAN-to-MAC mapping, which makes it possible for users to move within a network and connect to any switch while still maintaining the appropriate VLAN configuration.

Dynamic VLANs are extremely flexible, but the drawback is that continuously maintaining the policy server for current VLAN-to-MAC mapping requires too much manual overhead to be practical for most organizations.

New uses for VLANs

In the 2000s, the data center became the focus of the virtualization trend. As servers, storage, and desktops were virtualized, new vendors like VMware began to compete alongside incumbents, such as Cisco.

As virtualized data center infrastructure started to become the norm, traditional VLAN concepts were refreshed to support more complex networks. As Forrester Research analyst Robert Whiteley explained it, “The network architecture going forward has to be in lock step with server, storage, and desktop [virtualization]. The network historically has been plumbing that everything rode on top of. Now it is becoming the new backplane.”

To support virtualized environments, networks flattened and began to lose the clear boundaries between the core and the edge, a trend that shows no signs of slowing down. As a result, VLANs can be used in new ways. For instance, Layer 2 switches can pass virtual machines (VMs) from one data center to another, while keeping them on the same VLAN.

What is a VXLAN?

As more IT resources are virtualized, containerized, and moved to the cloud, network virtualization has had to evolve to keep up. While traditional VLANs will continue to be used to manage local resources and for use cases such as Wi-Fi guest networks, large cloud-scale networks require newer technologies, such as VXLANs.

Traditional 802.11Q networks are able to support just over 4,000 VLANs, but in virtualized data centers, this isn’t sufficient. The problem is that each VM requires an independent IP and MAC address, which to networking gear looks not like multi-tenant VMs on one server, but rather as an exponentially greater number of individual servers.

Moreover, as digital transformation efforts spread throughout the economy, VM migrations also put stress on traditional VLANs. Managing dynamic VM migrations without service interruption requires that the IP addresses and running status of each VM remains unchanged, meaning that dynamic migrations can only be achieved within the same Layer 2 domain, which may span regions.

Facilitating dynamic VM migrations and establishing isolation in multi-tenant environments, which may include tens of thousands of tenants or more in large cloud data centers, cannot be achieved with traditional VLAN technology.

To overcome this new bottleneck, Cisco, VMware, and Arista Networks teamed up to create a new VXLAN standard to handle cloud-scale traffic.

VXLANs rely on encapsulation technology to isolate different virtual LANs, creating a logical tunnel that joins devices on the VXLAN together through MAC-in-UDP encapsulation. This technique creates a Layer 2 network overlay on Layer 3 by encapsulating Ethernet packets in IP packets. In other words, each Layer 2 packet is given a VXLAN header, which is then encapsulated into a UDP IP packet that is transmitted over the Layer 3 network.

VXLAN encapsulated packets are routed over the network just like IP packets, and VXLAN-capable switches can support as many as 16 million VLANs. To facilitate dynamic VM migrations, VXLANs create a virtual tunnel between two Layer 2 switches, turning the underlying IP network into one Layer 2 network. Thus, VMs can move anywhere but appear to the infrastructure as if they are staying within the same VLAN.

As virtualization technology continues to evolve, the lines will blur between VLANs, VXLANs, and adjacent virtual LAN and WLAN technologies, such as SDN and SD-WAN. If current trends hold up, VLAN capabilities will increasingly be absorbed into other software-defined networking technologies, as virtual networks of all stripes continue to move away from manual configurations to policy-based ones.

(Jeff Vance is an IDG contributing writer and the founder of Startup50.com, a site that discovers, analyzes, and ranks tech startups. Follow him on Twitter, @JWVance, or connect with him on LinkedIn.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2022 IDG Communications, Inc.



Source link