Moving Users in VLANs

Moving Users in VLANs

VLANs reduce the problems associated with moving a user in a legacy network from one location to another. As you move a user in a legacy network, you need to consider many factors. In a VLAN, however, a number of the factors disappear. Consider the following example in Figure 5-12.

Figure 5-12. Moving a User in a Legacy Network

Figure 5-12 shows Station A attached to Network A in a legacy network. The user’s highly educated, capable, and rational manager decides that the user needs to move to another location. As the network administrator, you inquire about the motivation for the move and learn that, “It’s none of your business,” which is shorthand for, “I don’t have anything better to do than to reassign employee locations.” Being a diligent network administrator, you quickly recognize an important task, so you set about to plan the move.

OSI Logistics for Moving Network Users

During the early 1990s, a movement was afoot to eliminate routers from the networks and create one large, flat-bridged network. These were known as end-to-end VLANs. The motivations for this type of design are considered in this section. However, as a preamble, it is important to note that experience with the end-to-end VLANs demonstrated that they do not scale well in networks and forced users to reinstate routers in the network. One of the scaling issues was with Spanning Tree.

Today’s design recommendations incorporate VLANs in local areas and use Layer 3 routing/switching between smaller areas. Part V of this book, “Real-World Campus Design and Implementation,” discusses in more detail various approaches to VLAN deployments. Even though the end-to-end designs did not prove to be feasible, the motivations still apply in smaller areas. That is why this section covers the initial benefits of end-to-end VLANs.

What issues do you need to consider to support the move? Many issues ranging from Layer 1 through Layer 7 of the OSI model. Ignore Layers 8 (financial), 9 (political), and 10 (religious) for now because these are not officially in the OSI definition.

Table 5-3 summarizes a number of issues that should concern you.

Table 5-3. Logistics Issues in a Legacy Network

Issue Explanation
Layer 1
Distance to network hub The new employee location might not be close to an existing network. You might need to extend the network or even create a new one.
Media type The user already has an adapter card installed in the workstation. Is the media compatible with the equipment at the new location? Is the new location using Category 5 cable? Fiber optic? Coax? Other?
Port availability Are there any ports or attachment points at the new location suitable for the user?
Link speed Can the hub or segment at the new location offer the bandwidth that the user needs?
Layer 2
Access method Is the network at the new location of the same type as at the original location? Is the network new/old Ethernet, Fast Ethernet, Token Ring, FDDI, or other?
NIC compatibility Is the existing NIC compatible with the new network hardware? If you have to change the NIC, are the new drivers compatible with the upper layers?
Layer 3
Logical address You might need to assign a new protocol address to the user at the new location.
Default gateway The user’s workstation might need to be reconfigured to point to a different gateway.
Firewalls/access lists By moving the user, you might need to modify router access lists and firewall configurations to allow the user to reach the resources that support his functions.
Higher Layers
Available bandwidth to resources Layer 1 issues listed link speed. This is for the local link. But the user’s resources might be located on another segment forcing the traffic to cross other segments. Do the transit segments have enough bandwidth to support the user’s applications?

You must deal with all of these issues when you move users in a legacy network environment. Layer 1 and Layer 2 issues can create some undesirable situations like forcing you to change a user from Ethernet to Token Ring because the new location uses that access method. This should cause you to worry about compatibility with the user’s upper layer protocols. If you need to attach to a different network type, you need to change the workstation’s NIC and associated drivers. You might think that the drivers are compatible with the upper layers, but you might discover at 5:00 PM on a Friday evening that they are not.

Maybe you need to use fiber optics to reach from the new location to a hub because the distance is too long. Or, you might use fiber because the cable runs through an electrically noisy environment.

Possibly, new switches or hubs need to be installed to support the relocated user because all of the other interfaces might be occupied. If you install a new repeater/hub, make sure that you do not exceed the collision domain extent. If you install a new switch, you need to configure the correct VLAN setting and any other appropriate parameters.

Although all layers create headaches at one time or another for network administrators, Layer 3 creates irksome migraines. Layer 3 issues are even more complex, because they frequently involve changes in equipment configuration files. When you move the user, he might attach to an entirely different logical network than where he was originally. This creates a large set of potential actions on your part. For example, because the user now attaches to a different network, you need to modify his host address. Some of this pain is lessened through the use of Dynamic Host Configuration Protocol (DHCP) to automatically acquire an IP address. This works even when moving a user from one VLAN to another.

Even more annoying, you might need to modify any policy-based devices to allow the new address to reach the same services as prior to the move. For example, you might need to modify access lists in routers to enable the station’s frames to transit the network to reach a file server. Remember that routers evaluate access lists from the top of the list to the bottom and stop whenever a match occurs. This means that you need to be sure to place the new entry in the correct location in the access list so that it is correctly evaluated. If any firewalls exist between the station and its resources, you need to ensure that the firewall’s settings permit access to all desired resources.

Yet another item you must consider involves a combination of higher and lower layers. What bandwidth does the user’s applications require? Can the network provide the same bandwidth for the paths that the frames must now transit? If not, you might have some serious network redesign in front of you.

Deploying VLANs to Eliminate Broadcast Domain Issues

Now consider a similar network designed with Catalysts rather than a legacy design. By using Catalysts as in Figure 5-13, you can deploy VLANs to distribute and constrain broadcast domains. When deploying VLANs, some items in Table 5-3 become irrelevant when moving a user from one location to another in the network.

Figure 5-13. A Switched Version of the Legacy Network of Figure 5-12

VLANs do not eliminate Layer 1 or Layer 2 issues. You still need to worry about port availability, media and access types, and the distance from the station to the switch.

You still need to worry about higher layer issues such as bandwidth to resources. The switched network cannot implicitly guarantee bandwidth. It does, however, offer you flexible alternatives to install more bandwidth between switches without redesigning a whole network infrastructure. For example, you can install more links between Catalysts, or you can move to higher speed links. (Inter-Catalyst connection options are reviewed in Chapter 8, “Trunking Technologies and Applications.”) Upgrading to a higher speed link does not force you to install a new access method.

You can upgrade from a 10 Mbps to a Fast Ethernet or Gigabit Ethernet solution fairly easily and transparently to users. Obviously, similar solutions are available in routers too, but you might not be able to obtain the port density that you want to service many stations.

VLANs do not directly help mitigate lower layer or higher layer difficulties in a legacy LAN. Other than for the possibility of user stations experiencing more bandwidth with switched VLAN equipment, why use VLANs? Here is the good news: in a VLAN environment, Layer 3 issues no longer need to be a concern as they were in legacy network designs. When moving the user in Figure 5-13, you can configure the switch port at the new location to belong to the same VLAN as at the old location. This allows the user to remain in the same broadcast domain. Because the user belongs to the same broadcast domain, the routers and firewalls view the user as belonging to the same network even though a new physical location is involved. This eliminates the need to perform any Layer 3 tasks such as changing host addresses for the new location and leaves access list and firewall configurations intact.

The VLAN approach just described is sometimes called end-to-end VLANs, or VLAN everywhere or the distributed VLAN design method. It has the clear advantage of allowing you to keep a user in the same broadcast domain regardless of the physical location. As good as it seems to take this approach, it does have disadvantages. (Alas, nothing is ever as good as it seems.) Issues arise whenever the network grows in extent. As you add more Catalysts to the system, you add more bridges which increases the Spanning Tree topology complexity. This was mentioned in the previous section.

Deploying Layer 3 Distribution for Network Access Management and Load Distribution

In contrast, another approach to deploying VLANs potentially simplifies Spanning Tree issues. Some network designers use a Layer 3 approach in the system for distribution and backbone layers and use Layer 2 devices for access layers. Figure 5-14 shows such a network concept. In this system, the network design uses Layer 2 switches to the desktop and Layer 3 switches, such as the Catalyst 8500 and Catalyst 6000 series, for the distribution and backbone segments.

Figure 5-14. Layer 3 Design in a Switched Network

Part V of this book describes VLAN design philosophies. One approach, the Layer 3 distribution design, minimizes the Spanning Tree extent and topology because the Spanning Tree is constrained to the pockets of access devices. Access pockets can be placed on floors as in Figure 5-15. Each floor has its own access network. Users on the floor share the access network regardless of their community of interest. Engineering and accounting might share the VLAN. If necessary, the access network can be divided into a couple of VLANs to provide additional isolation between users or departments. Further, it enables load balancing, which is not easily obtainable in a Layer 2 design. These advantages lead many network engineers to avoid the end-to-end VLAN approach in favor of the Layer 3 design approach.

Figure 5-15. Layer 3 Design Approach Applied to a Facility

Historically, network approaches swayed from Layer 2 to Layer 3 back to Layer 2 and now back to Layer 3. The earliest networks were by default Layer 2. At some point in history, someone realized that they didn’t scale very well, and they wanted to connect Layer 2 segments together. So routers were invented. Soon, the whole world deployed routers. But because routers were slow, designers started to look at high-performance bridges to interconnect the networks on a large scale.

This was the advent of the Layer 2 switching products during the late 1980s to early 1990s. Until recently, Layer 2 switching plans dominated new network designs. Then came the realization that large scale Layer 2 networks created other problems, and router speeds have increased dramatically since the early 1990s. Engineers reexamined Layer 3 approaches for the backbone and distribution networks and now tend to consider Layer 3 designs a more desirable approach. It can, however, restore the disadvantages of Layer 3 complexities in a legacy network if poorly implemented.

About the author


Leave a Comment