 |
An introduction to VLAN
Trunking
George Ou |
Contents
- Introduction
- Applications of VLAN Trunking
- VLAN encapsulation types
- Trunking requirements
Introduction:
There are many Network Devices in the Data Center that
require multi-homing (multiple network adapters) to tie in to multiple network
segments. As the number of those systems increase, it becomes more and more
difficult to provide the network infrastructure (due to the sheer number of
Ethernet connections that need to be provided) from the perspective of cost,
space, and wire management. A technology called VLAN (Virtual LAN broadcast
domains logically segmented on an Ethernet switch) trunking that was once
primarily the domain of network switches has now trickled down to the rest of
the Data Center to address these issues. Now it is possible for these
multi-homing devices to be multi-homing in function without the need for
multiple physical network adapters and the additional infrastructure associated
with them. VLAN trunking allows a single network adapter to behave as “n”
number of virtual network adapters, where ”n” has a theoretical upper limit of
4096 but is typically limited to 1000 VLAN network segments. In the case where a
single gigabit Ethernet adapter is trunked in place of using multiple
FastEthernet adapters, higher performance at a lower cost while increasing
flexibility can be achieved. This really is the best of all worlds. In this
article, I will give you an overview of VLAN trunking, how it works what it is
used for.
Applications of VLAN Trunking:
Here are some common examples of Network Devices that benefit from VLAN trunking:
- Routers
- Firewalls (software or hardware)
- Transparent proxy servers
- VMWare hosts
- Wireless Access Points
Routers can become infinitely more useful once they are trunked in to the enterprise switch infrastructure. Once trunked, they become omnipresent and can provide routing services to any subnet in any corner of the enterprise network. This is in essence what a routing module in a high-end core or distribution L3 (Layer 3) switch provides. This technique can be a poor man’s substitute for a high-end routing module on a switch, or it can complement the high-end L3 switch by providing additional isolated routed zones for test labs, guest networks, and any other network segment that requires isolation.
Firewalls are another device that can greatly benefit from VLAN trunking now that all the big players like Cisco, Nokia/CheckPoint, and NetScreen support it. In today’s high stakes environment where security concerns are ever increasing, the more firewall zones (subnets connected by separate virtual or physical network adapters) a firewall provides the better. With the exception of NetScreen firewalls, firewalls can only block potentially hazardous traffic between zones and not traffic within the same zone. Therefore, the more you separate devices like routers and servers by logical function and security level, the better off you are since you can limit unnecessary traffic and mitigate many security threats. Since VLAN trunking provides a nearly unlimited number of virtual network connections at a lower cost and higher performance, it is the perfect addition to firewalls. You can read more on this in:
Understand how to design a secure firewall policy
Increase firewall protection with a better network topology
Transparent proxy servers such as a Windows server running Microsoft ISA or a Linux server running Squid can now be built with a single gigabit Ethernet adapter costing as little as $40. A traditional proxy server can be built with a single network connection, but a transparent proxy server usually cannot. Since transparent proxy servers can be implemented with zero client deployment or SOCKS compliance; they are an extremely attractive new technology. Trunking just makes it that much simpler and cheaper to implement.
VMWare hosts are servers that host multiple virtual servers for the purpose of server virtualization or system modeling for laboratory testing and research. Although VMWare already provides the ability to have multiple VLANs within the VMWare host, it’s ability to connect those VLANs to physical VLANs is limited to the number of network adapters on the VMWare host. A VMWare host can provide up to 3 network connections to each virtual machine. Since applications cannot tell the difference between a virtual adapter and a physical one, a VMWare host armed with a trunked interface is significantly more flexible and simpler to manage.
One of the hottest new applications of VLAN trunking is wireless networking. The new Cisco AP 1200 for example can behave as 16 virtual Wireless LAN infrastructures. Some VLANs can be used for low security guest Internet access, others for minimum security enterprise users, and administrators can be put on a high security VLAN with enhanced firewall permissions. All this can be achieved using a single Wi-Fi infrastructure to emulate up to 16 Wi-Fi infrastructures. The Cisco AP 1200 does this by assigning each of the 16 VLANs it’s own Wi-Fi SSID, so when you look at it from NetSumbler (free wireless sniffer), you will think you are looking at up to 16 different wireless networks. Those 16 VLANs are then trunked over the AP 1200’s FastEthernet port. This offers wireless nirvana in Wireless LAN capabilities.
VLAN encapsulation types:
There are several types of VLAN encapsulation. The two most common types are Cisco’s proprietary ISL (Inter Switch Link) and the IEEE 802.1q specification. ISL is an older standard that Cisco was using to connect it’s switches and routers, but now that 802.1q is ratified, all of the newer Cisco gear either support both ISL and 802.1q or only 802.1q. Older Cisco equipment may only support ISL trunking, so you must look up the individual specifications of your gear before attempting to connect them.
The 802.1q standard works by injecting a 32 bit VLAN tag into the Ethernet frame of all network traffic in which 12 of those bits define the VLAN ID. The VLAN ID simply declares what VLAN the Ethernet frame belongs to, and the switch uses that ID to sort out and place the frames in their proper VLANs. Once a frame reaches the end of the line or hits a non-trunked port, the VLAN tag is stripped from the frame because it no longer needs it. This also means that if you attempt to trunk a host to a non-trunked port, it obviously will not work because that non-trunked port will strip the VLAN tags upon entry. Note that there are very serious security implications of using VLAN technology; I will elaborate on that in a future article on VLAN Layer 2 security.
Given that a VLAN tag must be inserted into each and every Ethernet frame, it does mean that there is a little overhead in terms of slightly increased frame sizes and some CPU over head required to inject the tags. Because of this, separate physical network adapters will always perform better than virtual network adapters on a single adapter of the same speed. But remember, this performance deficiency is quickly reversed if a single gigabit Ethernet adapter is used in place of multiple FastEthernet adapters. Given all the rewards of VLAN trunking, the small overhead is more than justified.
Trunking requirements:
VLAN Trunking requires that the network switch, the network adapter, and the drivers for the operating system all support VLAN tagging in order for them to trunk. Almost any enterprise grade switch made by Cisco, Extreme, Foundry, and others support 802.1q. A few examples of this on the smaller scale are the Cisco’s 2950 series and Netgear’s FSM726. Most high end client adapters support VLAN trunking, but one of the most common ones you will find is the Intel Pro/100 and Pro/1000 adapters because it is included on almost every server manufacture’s motherboard. For those without an integrated Intel adapter, a separate Pro/1000 PCI card can be bought for as little $40. Drivers support on the Intel adapters are excellent and covers almost everything from BSD to Linux to Windows client and server operating systems. My follow up article on how to actually implement VLAN trunking will focus on Cisco and Intel equipment. Stay tuned…