Handbook of Local Area Networks, 1998 Edition:Advanced LAN Issues and Solutions
Click Here!
Search the site:
ITLibrary
ITKnowledge
EXPERT SEARCH
Programming Languages
Databases
Security
Web Services
Network Services
Middleware
Components
Operating Systems
User Interfaces
Groupware & Collaboration
Content Management
Productivity Applications
Hardware
Fun & Games
EarthWeb sites
Crossnodes
Datamation
Developer.com
DICE
EarthWeb.com
EarthWeb Direct
ERP Hub
Gamelan
GoCertify.com
HTMLGoodies
Intranet Journal
IT Knowledge
IT Library
JavaGoodies
JARS
JavaScripts.com
open source IT
RoadCoders
Y2K Info
Previous
Table of Contents
Next
MULTILAYER SWITCHES AND VIRTUAL LANS
We referred earlier to the technique of defining broadcast domains within the switched LAN as “Virtual LANs” with the promise of some further explanation. We can use the term broadcast domain or VLAN interchangeably since they really mean the same thing, so in exploring this topic further let's use the term VLAN for the sake of brevity.
At the simplest level, VLANs are defined (via network management) as groups of ports on LAN switches which can mutually exchange unicast and broadcast packets. A broadcast packet sent to the switch via one of the ports that belongs to the VLAN will be copied by the switch to all of the other ports that belong to the VLAN. Some LAN switches allow VLANs to be defined that include ports on multiple switches, although the ability to do this may depend on some additional protocols being used between switches to communicate VLAN membership details.
It is perfectly possible to operate a LAN based on multilayer switching without defining VLANs, but there are a couple of reasons why VLANs are likely to be needed in most network installations:
• Many existing networks rely on the Layer 3 forwarding function (in conventional routers) to provide a degree of security and access control. While the Layer 3 forwarder in a multilayer switch may be perfectly capable of providing the same degree of security and access control, in the absence of VLANs it would be easy for a user to bypass the Layer 3 forwarding function by reconfiguring his/her workstation's IP address to have the same subnet number as the networked resource he or she is trying to attack. Then the user would be able to access this resource via the Layer 2 switching fabric alone, where the checks cannot be made.
• Without the definition of VLANs, a LAN based on multilayer switching would be a single, large broadcast domain. Depending on the number of stations in the LAN and the types of protocols in use, this could result in problems due to excessive broadcast traffic. Some LAN switches can deal with this using intelligent broadcast control techniques, but if these are not available then VLANs must be used to counter the problem by breaking the network up into a number of separate broadcast domains.
Now let's see how we would use VLANs in practice with multilayer switching. To keep things simple, we'll start with the assumption that each IP subnet would have its own VLAN, and that each VLAN will contain one, and only one, IP subnet.
All we have to do is to decide which ports on which multilayer switches are going to belong to which IP subnets. In an existing routed LAN this is easy, since each LAN segment that is connected to a router will already have its own subnet identity. When we connect a LAN segment to a multilayer switch, we may want to break the segment into several smaller segments in order to improve performance. So we may have a number of ports on each multilayer switch which relate to the same subnet identity. We simply need to define a VLAN around each group of ports that have the same subnet identity, and then “connect” this VLAN to a logical “router port” within the Layer 3 forwarder in the multilayer switch. All this is configured, of course, via the network management console.
Defining VLANs in this way means that we have addressed the security issue, because users cannot communicate with any resources that are not in the same VLAN as themselves without passing through the Layer 3 forwarding function. We have also addressed the broadcast issue, since our broadcast domains are now no larger than they were when we used conventional routers to connect shared LAN segments together.
However, this approach to VLANs does not enable us to take advantage of one of the most talked-about benefits of VLANs, the ability to handle moves and changes without having to re-configure IP addresses in end stations. In the example we described, if a user moves his PC from one switch port to another, and the new switch port is not defined as belonging to the same VLAN as the old switch port, then the user is going to need a new IP address to match the subnet assignment of the switch port he is now connected to—otherwise he will not be able to communicate across the LAN.
One solution to this is to use a network management application which tracks moves and changes (by observing the MAC addresses learned on each switch port and their corresponding IP or IPX addresses) and which then re-configures VLAN boundaries automatically to ensure that users maintain the connectivity they need, without having to issue them with new IP addresses. To maintain security, this kind of application must be able to request confirmation of any changes to VLAN boundaries it is proposing to make.
Previous
Table of Contents
Next
Use of this site is subject certain Terms & Conditions.
Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited.
Please read our privacy policy for details.
Wyszukiwarka
Podobne podstrony:
188 190Dz U 2003 190 1864 zmiana z dnia 2003 09 12190 dtxtNAUKA 4 10 185 188H A Kozłowskim str 188SONY D 190�3 discman190 dtxt zal1SHSpec 188 6208C21 Basics of Auditingwięcej podobnych podstron