Transformations of Networking — Part 4

  1. Transformations of Networking — Part 1
  2. Transformations of Networking — Part 2
  3. Transformations of Networking — Part 3
  4. Transformations of Networking — Part 4 (this article)
  5. Transformations of Networking — Part 5

The switch, along with the protocols STP (802.1D), LACP (802.3ad), and VLAN support (802.1Q) changed the face of networking. Network administrators were able to design flexible, fault-tolerant networks that could repair network faults automatically. All of this snowballed into the year 2000 (and beyond) as end users became more and more connected to the internet, the economy started to depend more and more on computer systems, and indirectly the network that supported those computer systems.

VLANs — 802.1Q

VLANs allowed companies to split up large networks into smaller, more manageable networks. A switch configured with more than one VLAN essentially creates virtual networks within itself.

Some companies would create VLANs based on physical location; for example a company whose offices cover a large but localized area, like a University or a mining company might choose to create a VLAN for each building, or each floor of a building. Other companies would seek to create some logical separation between political groups in the organization, with Human Resources having their own network and servers, separate from the Geology network and servers.

The fascinating aspect of VLANs, was that it was possible to have Geologists, and Human Resources workers in the same building/floor/room, connected to the same switch but on totally separated networks.

Problems and Limitations with VLANs

Security

Some organizations looked to VLAN technology to reduce the amount of network hardware in the datacenter.

For example, this organization had a core switch, a DMZ switch and an Internet switch. Each switch was only partially utilized in terms of ports and internal bandwidth, so the temptation was to use a single switch, with a VLAN for each purpose and therefore save on costs, as below.

The problem here is below the surface, and while I can’t go into much detail here, suffice it to say that VLANs alone cannot provide perfect, secure separation of data between networks. There are methods to configure secure networks in this way however there is always a risk of data leakage due to an administrative error.

For those interested, the proper security method uses VLAN ACLs, here defined by Cisco.

Routing

The second problem with VLANs, is that these virtual networks cannot directly communicate with each other — traffic between VLANs must be routed by a device(s) with access to each VLANs.

Routers, firewalls and servers served this purpose during the early days of VLANs, however as network usage grew and server consolidation became a buzzword in IT, network administrators found themselves up against the limits of the routing hardware.

A router, firewall or server can route only in software. These days these routers can be quite fast, but in networks where servers are pushing the limits of gigabit interfaces and quite possibly beyond it becomes very expensive to process IP routing in software.

The solution came with the Layer 3 Switch.

Layer 3 Switching

The Layer 3 switch is essentially a router whose routing functions have been encoded into hardware — so IP routing can be handled on ASICs (Application Specific Integrated Circuit) very quickly, compared to routers, firewalls or servers whose routing functions still happen in software.

This comparison between L3 switching and traditional software routing shows an immense difference in routing speed; a software router might be able to route around 50-100mbps (potentially higher, depending on the hardware), whereas the Layer 3 switch is able to route at line rate (1gbps per-port).

These fast routing speeds are obtained by offloading the IP routing tasks to an ASIC. There are limitations with the ASIC, in particular that it is not a general purpose CPU — for example a 3750 is not able to perform NAT/PAT at any reasonable rate, and there are other limitations. But if you’re looking strictly for high-speed routing between VLANs, it is hard to beat it. I’ve seen configurations where network administrators use a 3750 for inter-VLAN routing, and a Cisco 801 router for NAT/PAT and firewall purposes.

Other switches such as the Cisco 6500 series is capable of both high speed L3 switching and processing complex, general routing calculations such as NAT/PAT very quickly.

Summary and Implications

Layer 3 switching allows network administrators to create complex, fault-tolerant, high-speed networks. A multi-VLAN environment allows networks administrators to define the network in a comprehensible way, and provides the framework to deliver different services on the network, including data, voice, wireless, video and many more.

Above is a simple example of a campus network configuration, however you can imagine that each edge switch is not limited to a single VLAN. In fact, when I build networks I always tell my clients to leave room for growth in VLANs (and therefore, IP allocation) — even if they’re not using IP telephony or wireless today doesn’t mean it won’t come tomorrow.

2 thoughts on “Transformations of Networking — Part 4

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s