Migrating to VLAN: Tips, Tools and Standardsby Eddie Rabinovitch, UniNews online Network Management Correspondent
With the migration from shared to switched LANs the term VLAN has become a common term not only within standards committees and engineering departments, but in many network management centers and campuses. For quite some time VLANs were considered "marketecture", invented by vendors of switched equipment and, because of their inherent complexity, very rarely implemented by the end-users. Today, however, as switched LAN infrastructures slowly but surely replace shared LANs, even industry analysts have discovered that VLANs are required for the very same reasons vendors were promoting them: to enhance security and traffic control; to ease network adds, moves, and changes; to contain broadcasts; or summarizing all of the above, to enhance manageability of switched LANs.Network managers moving into VLAN technology should be able to define VLANs based on the following characteristics: physical ports, protocol type, MAC address, and IP subnets.
Tools for Solutions
Let's take a closer look at VLAN technology and review existing and soon-to-come solutions. Since the primary objective of implementing VLANs is to enhance network manageability during the network planning and design stages, centralized VLAN management is an important requirement. When VLANs can be defined remotely, and managed from a central location network managers can more easily design their networks based on business objectives such as improved service to users, while also continuously monitoring VLAN performance and adjusting VLAN policies and definitions.This works in practice when dependable VLAN management tools are deployed. Such tools should be capable of centralized network administration, including the ability to control and define initial assignments of users per VLAN, as well as the ability to manage ongoing adds, moves, and changes.
Dependable VLAN management tools can substantially reduce or even eliminate the need for manual administration of users adds, moves, and changes.
Dependable VLAN management tools can substantially reduce or even eliminate the need for manual administration of users adds, moves, and changes. For example, when a user moves within the network, the switches will sniff a user's MAC address and automatically assign the user to the correct VLAN. Additionally, VLANs can significantly improve security management by automatically placing unrecognized network users into a default VLAN, with minimal accessibility, secure from the rest of the network. For example, when any user plugs into any switch port, VLAN management software, on the switch, will check the user's MAC address against a predefined VLAN map, and if the user's MAC address is unrecognized, the switch will both alert the network management station and place the user in a default VLAN for insecure users.
The same functionality also resolves a problem for unrecognized mobile users who will not be able to bypass security checks by connecting into a secure port. Such exposure exists when VLAN membership is solely determined by a switch port. Efficient VLAN management can improve productivity and highly simplify procedures for mobile users, ensuring optimal service and performance no matter what switch port they log into.
Emerging and Existing Standards Can Help Solve the Problem of Interoperability
Currently there are several VLAN management products on the market. However, one of the problems faced by the end users, is the fact that these products usually do not interoperate, and only support a specific vendor's equipment. To address this issue IEEE (http://www.ieee.org), is formalizing a new standard, currently in draft status, for Virtual Bridged LANs entitled IEEE 802.1Q. Although, it's far from an ideal or complete solution this standard is a first step towards introducing multi-vendor standardization for VLANs. IEEE 802.1Q does address the important issue of VLAN tagging. Generally speaking, there are two ways to tag frames:1. Implicit Tagging: i.e., a frame is classified as belonging to a particular VLAN based on the data content of the frame (e.g., MAC address, layer 3 protocol) and/or the receiving port.
2. Explicit Tagging: a frame is classified as belonging to a particular VLAN based on an explicit VLAN tag value that is included in the frame.
Even though IEEE 802.1Q currently concerns itself with Explicit Tagging, it also allows a means of implicit frame classification based on the receiving ports. To address the issues of multi-vendor support, and different levels of smartness contained in vendor equipment, the upcoming standard will have to address the issues of interoperability between relatively simple and sophisticated high-function switches. For example, switches that only understand port based VLANs, are forced to explicitly tag the frames based on the port of entry, even if the frame may already have been tagged by the end station or another switch. On the other hand, high-function switches may look at the subnet mask of the IP packets in IP subnet-based VLANs and decide which VLAN the traffic belongs to based on that information. These switches may then decide whether or not to explicitly tag the frames, since both tagged and untagged frames can be forwarded, however, not on the same VLAN. The rationale of allowing switches the freedom to apply their own level of VLAN membership awareness is the fact that in a multi-vendor environment progress rules must remain most flexible to provide for painless frame forwarding.
The upcoming IEEE 802.1Q standard is compatible with the transparent bridging standard - IEEE 802.1d. Therefore, the new standard specifies that legacy bridges, unaware of VLANs, can be incorporated into networks with VLAN-aware devices. For example, when a legacy bridge is placed between two tag-aware devices, its job is to forward the traffic as usual, without interpreting the tag value. According to IEEE 802.1d, a legacy transparent bridge will flood the unknown destination MAC addresses to all ports.
IEEE 802.1Q is expected to be finalized in the middle of 1998, and the final draft document is supposed to become available quite soon, allowing vendors to finalize their strategies on the migration/integration of the emerging VLAN tagging standard with their existing products.
In conclusion, VLANs are necessary for intelligent migration from shared to switched LAN infrastructure. They introduce a significant step towards the concept of self-managed networks. Not only can VLANs be defined and used, but more important, VLANs can be reliably managed, here and now. When selecting a reliable vendor for VLAN equipment and management platform, it's important not only to learn the functionality and richness of existing tools, but also to study the vendor's migration/integration plans for these tools in conjunction with the emerging IEEE 802.1Q standard.
Eddie Rabinovitch writes on network management issues and can be reached at eddier@mindspring.com.