Connectivity by Rawn Shah

Laying out the virtual network

Virtual networking takes us beyond the confines of the limited cells created over a decade ago with Ethernet, token ring, and FDDI. Our tutorial on virtual LANs describes addressing, grouping, and routing in this environment

July  1997
[Next story]
[Table of Contents]
Sun's Site

In our continued view of the world of asynchronous transfer mode (ATM) technology, we will come across one of the most commonly-used features it provides: the virtual local area network or VLAN. The VLAN, as opposed to current LAN designs, need not be within the same physical or geographical area while still maintaining the group of computers within their own private network. We look at addressing, grouping, and switching issues. (1,800 words)

Mail this
article to
a friend

The concept of a virtual network enforces a higher degree of security and efficiency of data traffic. You can combine several computers into their own VLANs which operate in their own private domain separate from other VLANs. Nodes in one VLAN will never see the nodes in another VLAN even if they are connected to the same switch unless you directly build a link between the two VLANs. This kind of link can be a router forwarding packets between the two VLANs, or a node which has two separate interfaces, one for each VLAN.

Because the computers are effectively disjointed from each other in their own private domains (VLANs), the packets from one VLAN domain never reach that of the other, ensuring security through independence. Furthermore this also enhances the throughput since you effectively only send the traffic needed by the other members of the same domain.


Building the VLAN
Although VLANs can be created with practically any kind of technology, most current networking systems today do not contribute to an elegant format for a VLAN. For example, take good old Ethernet; although computers can communicate independently of each other over an Ethernet, it is still basically a shared medium whereby all stations do actually receive the frames of data, and only the proper ones accept it. This implies that stations within an Ethernet have to be cooperative and behave in proper manner. Things go out of whack when someone drops in a packet sniffer that grabs all frames going across the network. The same goes for token ring and FDDI. The closest they come to independence is the switched network scheme which forms the basis for switched Ethernet, and interestingly ATM as well.

In a pure end-to-end ATM network, the individual circuits -- PVCs (private virtual circuits) or SVCs (switched virtual circuit) -- are all switched and form direct connections from one station to the other. Even though they go through the same switch hardware, these packets do not intersect at the hardware level unless specifically coordinated to do so.

The way VLANs are actually created gets more complicated. The basic concept of connecting computers together in a common environment is simple enough. However, there are several considerations. First, you must decide how to identify these machines; this is the problem we all know as addressing. Then you must identify how the individual machines are grouped together; this is VLAN grouping or domain control. Finally, you must indicate if they are to be linked to a point outside their VLAN domain; this is called inter- or extra-domain routing.

VLAN addressing and grouping
The basic problem of addressing is simple: find a way to uniquely identify each machine in the VLAN so that the messages can be sent to the proper system. Implementationwise, it is more difficult. To explain, let's take a simple diagram of a network of six machines -- four clients and two servers. In our simple network, these are all connected to a switch; it could be ATM, Ethernet, or whatever switch; it's just a communications switch.

In its simplest form, a VLAN can be made of individual ports on a switch which are interconnected by software. Let's say Client 1 and 2 and Server A are grouped into VLAN_A and Client 3 and 4 and Server B are in VLAN_B. This is known VLAN addressing/grouping by ports.

The addressing in this situation is by the ports they are connected to on the switch. In a small network and in locations where computers are not moved very much, this is fine. But what if Client 2 had to move to a different department from where Client 3 is located and vice versa? Suddenly you have the wrong computers in the wrong VLANs. The VLAN in this situation only knows the ports which belong in the groups does not recognize the individual computers.

Let's say we get a little more smart. Rather than using the port, we use something that exists in almost all network interface cards (NICs) in computers across the world. This is the hardware address, often called the media access control (MAC) address. For example, the Ethernet MAC addresses are a set of six hexadecimal numbers usually identified in the format AA:BB:CC:DD:EE:FF. Because the MAC is on the computer, you can now move computers around the network and still maintain the grouping in the proper VLANs. This is the next step in VLAN evolution known as MAC-based grouping. Because the media access control lies in the data link layer, the second layer in the classic OSI network layer diagram, this is more commonly known as Layer 2 switching.

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer (Layer 1)

This is still not perfect though. Computers die, or more commonly NICs die and have to be replaced. Although the person using that computer is still the same and the purpose of that station is still the same, the hardware information is specific per machine. Trying to maintain the MAC addresses across all machines would result in another administrative headache.

Furthermore, the hardware address isn't what the software uses for communications. We use Internet Protocol addresses, or AppleTalk 2 addresses, or IPX addresses, etc. These are addresses in the Network Layer or Layer 3. To take VLANs to this next evolutionary step requires what is known as Layer 3 switching.

Layer 2 vs. Layer 3 switching
Layer 2 VLANs are simpler to integrate because there are no issues of network routing involved other than simple broadcasting to the group (it really is multicasting if you look at it from an overall network point of view.) Layer 2 VLANs are also usually on the same switch because most switches do not maintain the MAC addresses of computers connected to other switches.

Layer 3 VLANs essentially require some level of mapping between hardware addresses and IP addresses (we'll only look at the IP version although the problems are similar in other networking architectures.) The switch needs to be able to determine if it is the same machine regardless of which port the machine is located or its hardware address. If the members of the VLAN are on the same switch, it makes things easy since switches usually keep a list of IP-to-MAC address mappings internally. However, when a member of the VLAN is on a switch external to the current physical network, the first switch must indicate to the external one that that member belongs to a VLAN group organized by the first switch.

ATM technology is actually just a Layer 2 switching system; it used to fall into the same category as FDDI, Ethernet, etc. where the hardware doesn't necessarily know what kind of system is on the end point or its Layer 3 IP address. When an Ethernet hub gets a packet it simply passes it to all other members of that network segment, and the correct computer accepts the packet based upon how the computer translates the Ethernet address into an IP address.

Beyond simple packet passing of the Ethernet variety within one network segment, you will need routers to control the forwarding of packets on your network. The last thing you want to do is build a single massive Ethernet segment with all your computers on it. All the data will not only reduce your traffic to a crawl but also make it potentially insecure. A router is needed to organize network traffic and send them to the appropriate segment of your network. If you are connected to the public Internet, you must have a router to separate public traffic from internal corporate traffic.

To make Layer 3 VLANs a possibility on ATM, you now have to bring some of the capabilities of an IP router into the ATM switch. Normally, the ATM switch would not necessarily have any knowledge of the payload it is carrying other than how to deliver it. However, vendors have recognized that such a capability will be important for data networks (keep in mind ATM is also used for digital voice or video networking.)

Layer 2 switching with ATM
ATM technology is more intelligent and complex than simple Ethernet. It functions at Layer 2 but has many of the characteristics of Layer 3. It is possible to operate Layer 2 VLANs across an ATM network using ATM addressing and control features.

In ATM, Layer 2 switching is natural. However to clarify matters, making a group of end-systems in a VLAN requires a technology known as LAN emulation (LANE). This provides the functionality to do the grouping and is available in more advanced ATM switches. LANE services require an ATM switch capable of functioning as a LAN emulation server (LES) to which individual LAN emulation clients (LECs) can connect.

As I just mentioned, not all ATM switches provide LAN emulation although most ATM switches can pass LANE information across their framework since LANE simply uses an SVC procedure to communicate. This of course assumes that your ATM switch can do SVCs -- most can these days.

Switched opinions
Layer 2 switching was a natural feature of ATM networks and came into being quite easily. It could be designed and built using current technology all the way. However, Layer 3 switching involves integrating ATM with a completely different layer. ATM connectivity basically stops at Layer 2 although some will argue that it is smart enough to be considered a Layer 3 technology as well.

In any case, vendors have been trying to tackle the problem of Layer 3 switching on ATM for over a year now. At this point we have to stop; Layer 3 switching on ATM is a whole new discussion. There isn't a widely accepted standard yet, but this is such a crucial facet in the acceptance of ATM in the data networking world that vendors are drawing lines and preparing for all out war. Some of the competing standards include multiprotocol over ATM (MPOA) by the ATM Forum, IP switching from Ipsilon Inc., tag switching from Cisco Systems, FastIP from 3Com, and a host of others. We will look into Layer 3 switching technology proposals in the next issue.


About the author
Rawn Shah is director of intelligence at ATMnet, a provider of integrated digital communications services. Reach Rawn at

What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Sun's Site
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: