Switching Based on Network Frames
It should be obvious that, using various techniques, it is possible to physically connect a large number of computers using switches, and then use software to program the switches to limit which computers can transmit frames to other computers. In other words, you can define LANs using software inside the switch, instead of creating LANs based on the actual physical cabling (see Figure 9.2). This single switch connects several computers, printers, and a server. However, the switch separates these devices into three separate virtual LANs.
Of course, this is a very simplistic example. If you have such a small number of computers, one of the only reasons you would want to create virtual LANs would be for security purposes. This example is meant to show that you can connect multiple network devices (computers, printers, print servers, file servers, routers, and so on) to the same switch, or a set of switches, and then use software that comes with the switch(es) to assign each computer to a separate virtual LAN. Computers on the same virtual LAN can communicate with each other just as if they were joined by a single switch. However, just because all these networked devices are connected to the same switch doesn't mean that they can send or receive data with devices that are configured on a different virtual LAN. In essence, it appears that you are partitioning the ports on the switch as though they were separate switches. That doesn't have to be the case, but it was the first step in creating VLAN switches.
In this chapter it is easy to state that you can create several VLANs using a single switch. From a practical standpoint, however, a single switch is not a limiting factor. Indeed, it is usually the case that multiple switches are installed in a computer rack, and the management software that controls the switches enables you to assign ports from different switches to a VLAN. It is also possible for a switch port to be a member of more than one VLAN.
|
The earliest switches that were used to create VLANs made assignments based on the switch's ports. That is, the administrator could simply designate what VLAN each port would be a member of. This is a fast way to switch frames in a VLAN because no processing needs to be done on the frame itself. Instead, the switch merely outputs the frame on all ports that are in the same VLAN as the incoming port. To place a particular workstation or another network device into a VLAN, you simply have to connect it to a port that is a member of that particular VLAN.
For the most part, the ports are configurable through software, so you can assign an identifier to each port to tell it which VLAN it is a member of. Using software management tools to configure a VLAN in this way means that when a user is moved to another VLAN but his physical location doesn't change, you don't have to make any cabling changes or plug the user into a different port. You just use the management software that comes with the switch to reassign the port to the new VLAN.
Port-based VLANs are the easiest type of VLAN to implement because the switch must do less work. The switch doesn't have to look up an IP address, a hardware address, or anything else to make a forwarding decision. It just looks up the port on which the frame arrives and outputs it on all other ports configured for that particular VLAN. This can be a security issue, though, if you do not physically secure connections to the switch. If the switch is not locked away securely, it's quite possible for someone to plug in a computer to a port and become a member of that VLAN. Of course, you'd probably configure the ports so that any unused ports are not part of any VLAN. However, what's to prevent some informed intruder, such as an unhappy employee, from unplugging one cable and plugging in another? Keep important network devices such as switches and routers locked away!
|
|
Main Menu
|
