![[previous]](../../../graphics/l_arrow.gif){kind=icon}
![[next]](../../../graphics/r_arrow.gif){kind=icon}
In this chapter:
Virtual LANs (VLANs) are logical subnetworks composed of selected CoreBuilder 2500 network interfaces. VLANs help minimize broadcast and multicast traffic across networks. VLANs also make it easier for you to move, add, and change end stations.
In the CoreBuilder 2500 system, VLANs allow you to:
You can use several types of VLANs to group users:
The packet filtering capabilities in the CoreBuilder 2500 system provide support for port group, MAC address group, and application-oriented VLANs. For information about how to filter port groups and MAC address groups, see the Operation Guide and the Administration Console User Guide. For information about how to configure and manage protocol-sensitive VLANs, see the description of the Administration Console menus in Chapter 9.
Port group VLANs, which connect one or more switch ports, require little configuration. Port groups are useful when traffic patterns are directly associated with particular ports. Port groups can benefit the network by restricting traffic based on a set of simple rules.
A port group VLAN groups all frames received on a port and keeps the frames within that port group, regardless of the data contained in the frames.
In a MAC address group VLAN, a switch filters by MAC addresses. This type of VLAN is very secure because you can configure these MAC address groups so that stations in the group can communicate only with each other or with specific network resources.
This type of VLAN is also easy to maintain because a VLAN association moves when a station moves. However, MAC address group VLANs may require complex configuration in comparison to other types of VLANs.
Using the CoreBuilder 2500 filtering capability, a switch can filter application-specific traffic such as telnet traffic or FTP traffic based on higher-layer information. To create this application-oriented VLAN, you configure packet filters that specify data and offsets of the data within received packets. For example, to use a filter on a particular port for all telnet traffic, create a filter that discards all TCP traffic that is received on the telnet port.
You can also use IP multicast routing and autocast VLANs to group IP multicast traffic for specific applications.
The CoreBuilder 2500 system forwards, to all ports, any data that has a broadcast, multicast, or unknown destination address. This process is referred to as bridge flooding.
With protocol-sensitive VLANs, you can restrict flood traffic for routable and nonroutable protocols. Protocol-sensitive VLANs have a relatively simple configuration, grouping one or more switch ports together for a specified network Layer 3 protocol, such as IP or AppleTalk. These VLANs determine flooding based on the network layer protocol of the frame. In addition, for IP VLANs, you can make flooding decisions based on Layer 3 subnetwork address information.
In a multiprotocol environment, protocol-sensitive VLANs can effectively control broadcast and multicast flooding. They operate independently of each other. In addition, the same switch port can belong to multiple VLANs. For example, you can assign port 1 on a CoreBuilder 2500 system to several IP subnetwork VLANs: one IPX VLAN, one AppleTalk VLAN, and one NetBIOS VLAN.
Although two or more types of VLANs can coexist within the CoreBuilder 2500 system, when a switch evaluates received data in a multiple VLAN configuration, port group VLANs, MAC address group VLANs, and application-oriented VLANs always take precedence over protocol-sensitive VLANs.
The CoreBuilder 2500 protocol-sensitive VLAN configuration includes three elements: the protocol suite, the switch ports, and the Layer 3 addressing information for IP VLANs.
The protocol suite describes which protocol entities can comprise a protocol-sensitive VLAN. For example, CoreBuilder 2500 VLANs support the IP protocol suite, which is made up of the IP, ARP, and RARP protocols.
Table 2-1 lists the protocol suites that the CoreBuilder 2500 supports, as well as the protocol types included in each protocol suite.
A group of switch ports is any combination of ports on a CoreBuilder 2500 system bridge. Included are switch ports created as ATM LAN Emulation Clients (ATM LECs). VLANs support only media implementations that run over switch (bridge) ports, for example, ATM Logical IP Subnets (ATM LISs).
For IP VLANs only, the CoreBuilder 2500 system optionally supports configuring of individual IP VLANs with network layer subnetwork addresses. With this additional Layer 3 information, you can create independent IP VLANs that share the same switch ports for multiple IP VLANs. To distinguish among multiple IP VLANs on the same switch port, the CoreBuilder 2500 system floods data according to both the protocol (IP) and the Layer 3 information in the IP header. This configuration is discussed on page 2-7 in "Overlapped IP VLANs."
When you start the CoreBuilder 2500 Extended Switching software, the system creates a default VLAN. Initially, the default VLAN includes all the system's switch ports. The CoreBuilder 2500 default VLAN defines:
Both cases represent exception flooding conditions that are described in the following sections.
If you insert a LAN card or create an ATM LEC, new switch ports can dynamically appear. When a new switch port that is not part of a default VLAN appears in the system at initialization, the system software adds that switch port to the first default VLAN defined in the system.
With CoreBuilder 2500 VLANs you can modify the initial default VLAN to form two or more subsets of switch ports. If you remove the default VLAN and no other VLANs are defined for the system, no flooding of traffic can occur.
Protocol-sensitive VLANs directly affect how the CoreBuilder 2500 system performs flooding. Without protocol-sensitive VLANs, the flooding process forwards data to all switch ports in the system. With protocol-sensitive VLANs, the flooding process follows this model:
The following example shows how flooding occurs according to VLANs set up by protocol. The example assumes an 18-port switch.
|
VLAN Index |
VLAN Protocol |
VLAN Ports |
|---|---|---|
|
1 |
Default |
1 - 18 |
|
2 |
IP |
1 - 12 |
|
3 |
IPX |
11 - 16 |
Data for a protocol may arrive on a switch port that has no defined VLAN for that protocol. In such cases, called VLAN exception flooding, the default VLAN defines the flooding domain for the data, even if a VLAN for the protocol exists elsewhere in the system.
The following example shows how VLAN exception flooding occurs. The example assumes an 18-port switch.
|
VLAN Index |
VLAN Protocol |
VLAN Ports |
|---|---|---|
|
1 |
Default |
1 - 18 |
|
2 |
IP |
1 - 10 |
You can assign network layer information to IP VLANs so you can manage your VLANs by subnetwork. The CoreBuilder 2500 system makes flooding decisions by first matching the incoming frame using the protocol (IP) and then matching the frame with Layer 3 subnetwork information. If the received data is IP but does not match any defined IP subnetwork VLAN, the data is flooded within all IP VLANs using the relevant switch port.
For example, you can configure two overlapping IP VLANs for ports 1 through 10 as follows:
The following example shows how flooding decisions are made using overlapping IP VLANs. The example assumes a 12-port switch.
|
VLAN Index |
VLAN Protocol |
Network Address/Mask |
VLAN Ports |
|---|---|---|---|
|
1 |
Default |
none |
1 - 12 |
|
2 |
IP |
158.103.122.0/ 255.255.255.0 |
1 - 6 |
|
3 |
IP |
158.103.123.0/ 255.255.255.0 |
6 - 12 |
When the subnetwork address of an IP packet does not match any subnetwork address of any defined IP VLAN in the system, the system floods the data to all of the IP VLANs that share the source switch port. In this example, the shared source port is port 6.
Stations in two different VLANs communicate only by routing between them. The CoreBuilder 2500 system supports internal routing among IP, IPX, and AppleTalk VLANs. If VLANs are configured for other routable network layer protocols, they communicate only through an external router.
You configure routing protocol interfaces based on a VLAN defined for that protocol. To assign a routing interface, you first create a VLAN for that protocol and then associate it with that interface.
For example, to create an IP interface that routes through a VLAN:
1 . Create an IP VLAN for a group of switch ports.
2 . Configure an IP interface with a network address, subnet mask, broadcast address, cost, and type (vlan). Select an IP VLAN to bind to that IP interface.
If Layer 3 information is provided in the IP VLAN for which you are configuring an IP interface, the subnetwork portion of both addresses must be the same.
For example:
IP VLAN subnetwork 157.103.54.0 with subnet mask of 255.255.255.0
IP host interface address 157.103.54.254 with subnet mask of 255.255.255.0
The group of ports within an IP VLAN or router interface can communicate at the Layer 2 (bridging) level. IP data uses the IP routing interface to reach a different IP subnetwork, even if the destination subnetwork is on a shared port.
In Figure 2-1, three protocol-sensitive VLANs (two IP and one IPX) interconnect over a high-speed FDDI link. The end stations and servers are on 10 Mbps ports with traffic that is segregated by protocol. Traffic aggregates only over the FDDI link.
Figure 2-1 Example of a Protocol-Sensitive VLAN Configuration
In Figure 2-2, two overlapping protocol-sensitive VLANs (IP and IPX) are connected to servers on separate, high-speed 100BASE-T ports. The client end stations share the same switch ports, yet the IP traffic and IPX traffic remain separate.
.
Figure 2-2 Overlapping VLAN Configuration with Servers on Separate Ports