the network.
The processors in each node handle this task, which takes away from the processing power needed for other tasks and application—thus causing a slowdown that the users discover and complain about. Most network administrators pass off this slowness as a problem with the PCs, and the most vital PCs are rebuilt or replaced. When the companies finally decide to upgrade to a switched network, they can typically do so over a weekend. When the network users leave on Friday, their high−powered Pentiums stacked with RAM have the speed of 386s. When they return Monday morning, nothing is more exciting than hearing comments all over the office about how their computers boot up more quickly and run so much faster, and how they like the faster network. But did the users get a faster network? In one sense, the network did get an upgrade; but this upgrade merely eliminated the problems of a flat topology network by segmenting the network into smaller collision and broadcast domains.
How did they do this? By replacing the hubs (which send data they receive out every single port, forcing every node attached to them to process the data whether the node is meant to receive the data or not) with switches. In terms of per−port costs, replacing your hubs with switches is a solution at a quarter of the cost of upgrading the network cabling. So, what segments the network? VLANs.
Note |
Sometimes, if you have a 10BaseT network with Category 3 or 4 cabling, the best solution is |
|
to fix the immediate problems by upgrading to Category 5 cabling and implementing a Fast |
|
Ethernet network in conjunction with installing switches. However, most network users do |
|
not need more than true 10Mbps from the Access layer switches to their desktops even if |
|
they are using high−bandwidth applications. After all, before they had switches, the users |
|
were getting along with only 3Mbps or 4Mbps on their 10Mbps link, due to broadcasts, |
|
collisions, and network utilization. |
Why Use VLANs?
VLANs are used to segment the network into smaller broadcast domains or segments. The primary reason to segment your network is to relieve network congestion and increase bandwidth. Segmentation is often necessary to satisfy the bandwidth requirements of a new application or a type of information the network needs to be able to support, such as multimedia or graphical design applications. Other times, you may need to segment the network due to the increased traffic on the segment or subnet.
Be careful not to oversegment. Placing each port in an individual VLAN is like placing a router to stop broadcasts between each individual VLAN. Routers are like bug poison—they kill broadcasts dead. Broadcasts can’t escape through routers and they can’t escape a VLAN, either. Each VLAN becomes its own
individual broadcast domain. When a network node or workstation sends out an advertisement or broadcast to the other nodes on a segment, only the nodes assigned to the VLAN to which the node sending the broadcast is assigned will receive that broadcast.
Another definition of a VLAN is a logical grouping of network users and resources connected administratively to defined ports on a switch. By creating VLANs, you are able to create smaller broadcast domains within a switch by assigning different ports on the switch to different subnetworks. Ports assigned to a VLAN are treated like their own subnet or broadcast domain. As a result, frames broadcast are only switched between ports in the same VLAN at Layer 2.
Using virtual LANs, you’re no longer confined to physical locations. VLANs can be organized by location, function, department, or even the application or protocol used, regardless of where the resources or users are located. In a flat network topology, your broadcast domain consists of all the interfaces in your segment or subnet. If no devices—such as switches or routers—divide your network, you have only one broadcast
domain. On some switches, an almost limitless number of broadcast domains or VLANs can be configured.
89
VLAN Basics
Inter−Switch Link (ISL) protocol was designed to allow VLAN traffic to flow from one Cisco device to another. The protocol adds a header that uniquely identifies the source and destinations of the data as well as the VLAN the data is a member of. If data from one VLAN needs to be forwarded to another VLAN, it requires some type of Layer 3 routing.
Layer 3 routing can be provided by any number of modules known as internal route processors. The internal route processors available from Cisco for Cisco switches are the Route Switch Feature Card (RSFC), NetFlow Feature Card (NFFC), Multilayer Switch Feature Card (MSFC), Multilayer Switching Module (MSM), and Route Switch Module (RSM). Layer 3 routing for VLANs can also be provided by some Cisco routers that support ISL, such as the Cisco 4000 series and the Cisco 7000 series.
Spanning Tree Protocol (STP), which can be applied to each individual VLAN, keeps the network from forming bridging loops when a packet can reach a given destination multiple ways. This means you can provide multiple ways to get data from point A in your network to point B, thereby providing redundancy in case one link fails. STP blocks the redundant ports so only one path exists for data in the network.
VLANs allow you to use these links to load balance data. By assigning different VLANs to each link, data from one VLAN can use one link and another VLAN can use the second, redundant link. A VLAN would use the other link only during a link failure in the network; in this case the VLANs assigned to the lost link would converge and use the link that was still available.
A Properly Switched Network
Let’s take a look at how a properly switched network should look. This network implements the switches using a hierarchical model, as shown in Figure 5.1. Notice that you don’t need a high−speed link to every workstation in order to create an efficient network, even when using high−end applications such as graphical CAD applications. In the figure, you see 10Mbps links to each workstation, a Fast Ethernet trunk to the switch containing the servers, and 100Mbps links to each server. This way, the amount of bandwidth entering from the 10Mbps switch will not overwhelm all the server links, and you create an efficiently switched network without bottlenecks.
Figure 5.1: An example of a properly switched network.
Note Switching technology complements routing technology, and both have their place in the networks of today.
Using Layer 2 switches to create individual collision domain segments for each node residing on a switch port increases the number of nodes that can reside on an Ethernet segment. This increase means that larger networks can be built, and the number of users and devices will not overload the network with more broadcasts and packets than each device on the network can handle (and still maintain a consistent level of
90
processing).
Broadcasts are used in each and every networking protocol. How often they occur depends upon the protocol, the applications running on the network, and how these network services are used.
To avoid the older, chatty protocols, older applications have been rewritten to reduce their bandwidth needs even though bandwidth availability to desktops has increased since the applications were written. New−generation applications utilizing multimedia—such as video conferencing, Voice Over IP, Web applications, multicast, and unicast—are bandwidth−greedy and like to consume all the bandwidth they can find.
When your company or organization tries to keep up with technology, you’ll find that faulty equipment, inadequate segmentation, non−switched networks, and poorly designed networks each contribute to the problems of broadcast−intensive applications. To add insult to injury, protocol designers have found ways to propagate application data through the switched internetwork. Not only that, but by using applications from the Web that utilize unicast and multicast, you continue to receive constant broadcasts even between routers. The old rule—that a router stops broadcasts dead—doesn’t work.
As an administrator, you must make sure the network is properly segmented, to keep problems on one segment from propagating through the internetwork; you must also create ways of killing the unwanted traffic. You can do so most effectively through a combination of switching and routing. Switches have become more cost effective, allowing many companies to replace their flat network hubs and bridges with a pure switched network utilizing VLANs. As mentioned earlier, all devices in a VLAN are members of the same broadcast domain and receive all broadcasts from members of the same VLAN. The broadcasts, by default, are filtered from all ports on a switch that are not members of the same VLAN.
Routers and switches that utilize internal route processors (such as RSMs) are used in conjunction with Access layer switches and provide connections between network segments or VLANs. If one VLAN wants to talk to another, the process must be routed at Layer 3. This arrangement effectively stops broadcasts from propagating through the entire internetwork.
Security is also a benefit of VLANs and switches. A flat Layer 2 network has almost no security. Users on every network device can see the conversations that take place between all users and devices on the network. Using certain software, not only can they see the network conversations, the users can alter the data and send it on to its destination; this action is referred to as a man in the middle attack. In a flat area network, you cannot stop devices from broadcasting and other devices from trying to respond to broadcasts. Your only security lies in the passwords assigned to your workstation or other devices on the network. Unfortunately, the passwords can only be used on the local machine, not on data traversing the network. Let’s take a better look at how switches improve security in the network.
Switched Internetwork Security
In the previous paragraph, I described the network security issues in a flat internetwork that is implemented by connecting hubs and switches with routers. In this type of network, security is maintained by the router to disallow unwanted access—but anyone connecting to the physical network can easily gain access to the network resources on that physical LAN or network segment. An intrusion in your local network could easily happen when a person (even a somewhat educated employee) runs certain software (like that available in Windows NT) to analyze the network packets and obtain passwords and user information without the knowledge of the network administrators. To make matters worse, in a flat network, the intrusion can be done from any port—even at a user’s desk. The user does not need access to the wiring closet to see all the traffic in that network.
By using switches and implementing VLANs, the switch takes care of making sure that data is sent directly from the port on the switch containing the source node, and that the data only exits out the port on which the destination node resides. The switch also makes sure that when a broadcast is received, only the ports assigned to the VLAN that the source port is a member of receive that broadcast.
91