While virtual LANs might not be the sexiest network technology, the old standby method for logically segmenting network nodes is being used as electronic duct tape of sorts for many enterprise users.
VLANs are deployed in corporate networks in a variety of ways, including network security authentication, a way to let wireless clients roam among 802.11b access points, a method of segregating IP voice traffic and a way to contain legacy traffic on networks with heterogeneous protocols.
Introduced almost six years ago, most VLANs are based on the IEEE 802.1Q and 802.1p standards. The 802.1Q specification establishes a standard method for inserting VLAN membership information into Ethernet frames. 802.1p is a specification for giving Layer 2 switches the ability to prioritize traffic and perform dynamic multicast filtering.
When first introduced, VLANs were touted as a way to simplify address management by letting IT shops physically deploy servers and PCs anywhere on a network and then associate the machines into groups virtually.
Software on most managed network equipment can be used to associate PC media access control (MAC) addresses with VLANs, letting the client automatically connect to its network when moved from one port to another.
As Layer 3 switches emerged, observers said VLAN technology would become obsolete, as wire-speed routing between subnets would let users control network broadcast traffic more easily. Also, widespread use of Dynamic Host Configuration Protocol (DHCP) on IP networks solved the issue of user mobility. DHCP automatically assigns IP addresses to workstations as needed.
Still, with Layer 3 switches accounting for only 6 per cent of the worldwide Ethernet switch port installed base, according to IDC, VLAN usage still is active among network professionals. Users also are turning on 802.1Q technology in their networks for reasons other than just network management.
Order in the VLAN Court
Harris County, Texas, which includes Houston and its suburbs, recently combined four buildings and 122 courtrooms, court offices and Justice Department offices into a single, 22-story high-rise facility. The building was a natural opportunity for one VLAN, says Jerrl Evans, managing director of infrastructure and network services for Harris County, because combining the 122 private subnetworks in one VLAN was easier than physically plugging users into groups of ports.
VLANs and static IP addresses also are used as a security mechanism, Evans says. All clients working in the new building are given static IP addresses and connect to the network via Alcatel SA’s OmniSwitch routers and OmniCore 5052 backbone switches deployed throughout the building. The VLAN is configured throughout the building, which lets them connect to the network by plugging into any port.
This configuration lets judges and attorneys who might work in different courtrooms throughout the week plug into any port and be on their home networks, Evans says. The set-up also provides security by controlling authorized users’ access rights, and restricting nonregistered users from any access at all.
“The only way anyone can plug into the network at all is for them to have an IP address on their machine that’s on one of our VLANs,” Evans says.
Roaming Through College
Managing a roaming client base gets even trickier when Wi-Fi is thrown into the mix, as was done recently at Bridgewater State College in Massachusetts.
The school has deployed more than 100 Enterasys Networks Inc. RoamAbout 802.11b/a wireless access points that students can use to access the Web and e-mail throughout the campus.
“If we didn’t segregate the wireless traffic into its own VLAN, it would be a nightmare with people moving around campus who want to stay connected,” says Pat Cronin, telecommunications director at Bridgewater State.
“Putting all wireless traffic on a VLAN ensures that no one drops off the network as they move from access point to access point,” which is quite common, as the Enterasys access points deployed throughout the campus have a range of only 150 feet, he says.
Cronin uses a mix of Cisco Systems Inc. and Enterasys stackable switches in the dorms, classrooms and administration offices to connect the wireless access points. After getting over a few cross-vendor VLAN configuration issues, students and faculty now can roam anywhere and stay connected on the same VLAN, whether they are connected to a Cisco or Enterasys switch, he says.
Using VLAN to Manage Legacy Protocols
While some IT professionals find VLANs useful for securing and managing network clients, James Labonte, network engineer at St. John’s Hospital in Springfield, Ill., finds VLANs a useful tool for taming the mix of chatty and hard-to-manage legacy protocols running on his network.
“A lot of what we do with VLANs involves creating private networks,” Labonte says. “Some vendors will say they want you to buy separate network hardware in order to keep networks segmented…but we found that we could save a lot of time and money by creating the private networks virtually.”
Labonte uses SmartSwitch stackable switches and SmartSwitch Router backbone switches from Enterasys to maintain VLANs throughout the hospital’s subnetworks, which run a variety of protocols.
“We keep all our bridged protocols on their own VLAN,” Labonte says. “Why have a machine sending broadcast messages to devices that will just ignore it anyway?”
St. John’s uses Digital VAX minicomputers for customized medical database applications that run on the legacy DECnet protocol. “DECnet does use quite a bit of broadcast traffic,” Labonte says. “We put that traffic on its own VLAN so the DECnet can only get to certain segments of the network.”
The same goes for the group of Novell Inc. NetWare 4.11 servers running on the network.
“We create separate IPX VLANs just for our Novell servers and users,” Labonte says. This keeps the majority of the network, which is based on IP and Windows NT/2000 servers, from getting bogged down with IPX and DECnet traffic, he says.
Segmenting voice-over-IP traffic into VLANs also has become a standard recommendation among IP telephony vendors such as 3Com Corp., Cisco, Alcatel, Nortel Networks Corp. and Avaya Inc. All these vendors support 802.1Q technology on their switches and IP PBX devices, letting IP voice traffic be segmented onto its own VLAN.
Keeping voice on its own virtual segment can be useful, vendors and users say, as a way to isolate voice traffic for troubleshooting purposes. It also can ensure that voice quality does not degrade in the event of broadcast storms or large file downloads across larger segments of a network.