VLAN Design Considerations

In a flat, bridged network, all broadcast frames and packets generated by any host in the network are sent to and received by all other hosts in the same network. The ambient level of broadcasts generated by the higher-layer protocols in the network, known as broadcast radiation, restricts the total number of nodes that the network can support. In severe cases, the broadcast radiation effects can be such that a workstation spends all of its CPU power on processing broadcasts, and not on any other applications, such as your e-mail, web browser, or Solitaire game.

Designing and implementing VLANs solves some of the scalability problems of large, flat networks by breaking the single broadcast domain into several smaller domains, each of which is its own VLAN. It is insufficient to solve the broadcast problems inherent to a flat, switched network by overlaying VLANs on top of the network. This reduces the size of each broadcast domain, but it in turn increases the number of domains, thus introducing a different problem with management and design.

VLANs without routers do not scale well into larger campus environments. Routing is instrumental to the building of scalable VLANs and is the only way you can impose hierarchy on your switched VLAN network.

VLANs enable the following features to be implemented in your network:

  • Broadcast control? Switches isolate collision domains for attached hosts and only forward appropriate traffic out a particular switch port; VLANs refine this isolation concept further by providing complete isolation between VLANs. A VLAN contains all broadcast and multicast traffic within itself.

  • Security? VLANs can provide security in two ways:

    - High-security users can be grouped into a VLAN, and no users outside of that VLAN can communicate with them.

    - Because VLANs are logical groups that behave like physically separate entities, inter-VLAN communication is enabled through the use of a router. When a router is used in your network, security and filtering functionality is then available to you because routers look at OSI Layer 3 information.

  • Performance? The logical grouping of users allows, for example, engineers using networked computer-assisted design/computer-assisted manufacturing (CAD/CAM) workstations or testing a multicast application to be assigned to a VLAN containing just those engineers and the servers they need. When you separate the engineering group traffic into its own VLAN, their work does not affect the rest of the network users, resulting in improved network performance for both groups. The engineering team has dedicated bandwidth, and the rest of the users are not slowed down by the engineering team's use of the network.

  • Network management? The logical grouping of users, separated from their physical or geographic locations, allows for easier management of the network. It is not necessary to pull cables if you are moving a user from one network to another, such as moving to a new floor in the building. Network moves, additions, and changes are achieved by configuring the switch port into the appropriate VLAN.

VLAN Implementation

The two primary methods of creating the broadcast domains that make up the various types of VLANs you can implement are as follows:

  • By port? Also known as a segment-based VLAN, each port on the switch can be part of only one VLAN. With port-based VLANs, no network (OSI Layer 3) address recognition occurs within the switch, so IP and Novell IPX networks must share the same VLAN definition. This means that all traffic within the VLAN, regardless of the network protocol used, will share the broadcast domain. All traffic within the VLAN is switched, and traffic between VLANs is routed by an external router or by a router within the switch.

  • By protocol? Also known as a virtual-subnet VLAN, protocol-based VLANs are based on network (OSI Layer 3) addresses. Protocol-based VLANs can differentiate between different network protocols, such as IP and IPX, enabling the definition of VLANs to be made on a per-protocol basis, somewhat like grouping people together at a party based on the language each speaks so that they can communicate with each other. With Layer 3-based VLANs, it is possible to have a different virtual topology for each protocol in use within the network, with each topology having its own set of transmission and network security policies. Switching between protocol-based VLANs happens automatically when the same protocol is used within each VLAN. Communication between VLANs on different Layer 3 subnets needs an external router or router card in the switch.

When using Layer 3-based VLANs, a switch port can be connected to more than one VLAN.



VLANs are often differentiated by assigning each VLAN a "color," or VLAN ID. For example, engineering might be the "blue" VLAN, and manufacturing might be the "yellow" VLAN.

For a refresher on VLANs, review Chapter 8.