Virtual LANs
Last updated
Segurança Em Redes De Comunicações
Last updated
Group of individual switch ports into switched logical workgroup.
Restrict the broadcast domain to designated VLAN member ports.
Communication between VLANs requires a router.
Solves the scalability problems of large flat networks.
By breaking a single broadcast domain into several smaller broadcast domains.
VLAN is a logical group of end devices with a common set of requirements independent of their physical location.
VLAN are associated with switch ports widely dispersed over the network
Services/roles that have a global scope within the network.
Wireless network.
Same IP network (same IP address) independently of location.
To avoid IP changes when moving from location to location.
Administration VLAN (optional).
VLAN is used by the network administrator to remotely access network equipment.
Same administrator of (all) equipment independent of location.
Local VLANs are generally confined to a wiring closet.
Per service/function.
VoIP phones, Video conferences, printers, cameras, PCs, servers, ...
Per user role.
Engineers I, engineers II, technicians, administrators, ...
Per location.
Building I, floor 4, right-wing, etc...
A mixture of service/function, role, and location.
e.g.: VLAN of VoIP phones, of the Engineers in Building I.
Joint in the same logical network services/terminals/users with the same traffic/security/QoS policies.
Each VLAN must have a unique IP (sub-)network.
May have more than one IP (sub-)network.
Including IPv4 public and IPv4 private networks.
And, IPv6 networks.
Neighbor (local) VLANs with similar traffic/security/QoS policies should have IP (sub-)networks that can be summarized/aggregated.
E.g.: VLAN of VoIP phones in Building 1 (VLAN 21: 200.0.0.0/24).
VLAN of VoIP phones in Building 2 (VLAN 22: 200.0.1.0/24).
Summarized/aggregated address of VLAN21+VLAN22: 200.0.0.0/23.
A VLAN trunk carries traffic for multiple VLANs by using IEEE 802.1Q.
Inter-Switch Link (ISL) encapsulation is an alternative but it getting obsolete.
Trunks may transport all VLAN or only some!
L2 Switch + Router.
Does not allow end-to-end VLANs.
L3 Switch + L3 Switch.
Traffic between VLANs must “travel” until the first L3 Switch performs Routing.
To communicate between different VLAN it is required to use Layer 3 (IP Routing).
Common solutions:
A router with support to 802.1Q.
Connecting the physical router interface to a Trunk port.
The router’s physical interface is subdivided into sub-interfaces (one for each VLAN).
The IP gateway for a VLAN host is the IP address of the respective sub-interface in the Router.
A Layer 3 switch.
Connecting both switches (L3 and L2) using Trunk ports.
Each VLAN is mapped to a virtual Layer 3 interface.
The IP gateway for a VLAN host is the IP address of the respective virtual interface in the L3 switch.
End-to-end VLANs traffic should be switched over the Distribution/Core layers.
Using a trunk (for end-to-end VLANs only).
Local VLANs traffic should be routed over the Distribution/Core layers.
Using standard layer 3 Links.
Using static routing (not the best solution!).
Exchange the routing information only through the L3 links
End-to-end VLAN should be passive interfaces for the routing processes.
Routes are not exchanged → Traffic is not routed!
The throughput/speed of one connection link may not be enough to fulfill the requirements.
Multiple Ethernet links may be aggregated, providing a seamless trunk connection with N times the single throughput/speed of one link.
Ethernet frames are “load-balanced” between all available physical links.
Encapsulates OSI Layer 2 Ethernet frames within Layer 4 UDP datagrams.
Default port 4789.
Alternative to 802.1Q.
