What is a Virtual LAN

A virtual LAN allows a physical network to be divided administratively into separate logical networks. In effect, these logical networks operate as though they are physically independent of each other.

A VLAN-capable switch automatically manages the separation of traffic between VLANs for the devices attached to the switch. A VLAN ID can be assigned to each switch port and only packets that match the VLAN ID are sent to the device.

See Figure 4-26 on page 110 for a diagram of a simple switch.

Important: Avoid using the term bridging to describe a Virtual Switch. While this function looks as though it bridges between a Guest LAN and the Ethernet, bridging usually refers to the copying of an entire Layer 2 frame from one network to another. It also performs whatever frame translation is required on the way, such as in the case of translational bridging between Token Ring and Ethernet. VSWITCH handles only Ethernet packets, and does not qualify as a full Layer 2 network bridge.

Figure 4-26 An Ethernet switch

In the figure, each port is identified by a column and row number, such as A1 for the port in the upper left and B6 for the port in the lower right. Each port in this switch except A1 is called an access port. These ports are defined to a single VLAN only and provide connections for non-VLAN aware devices. The number in each access port is the VLAN number assigned to that port. Only frames that match the VLAN ID of that port are sent to the device attached to the port, however, the VLAN information is removed from the frame before it is sent. Also, all packets sent from the device to the port are tagged by the switch with the same VLAN ID before being sent to their destination.

Notice that multiple access ports have the same VLAN number. All of these ports are on the same subnet and the devices attached to these ports can

communicate with each other. For instance, ports B3 and B5 are in VLAN 3 and packets can be exchanged between the ports. But they cannot directly

communicate with the devices attached to any of the other ports. It is as though ports B3 and B5 are a separate physical device with two ports.

IBM zSeries Open Storage Attachment

T 2

1

1 2

2

1 3

3

2 1

4

1 3

5

2 1

6 A

B

Chapter 4. Networking Overview 111

Trunk ports

In Figure 4-26, port A1 is a special port called a trunk port, labeled as T. This port is different from an access port because packets from multiple VLANs flow in and out of it. It is used to connect switches together or to connect other VLAN aware devices. An example of two switches with connected trunk ports is shown in Figure 4-27.

Figure 4-27 Ethernet switches connected via trunk ports

Notice that the access ports on both switches share the same VLAN IDs. The switches could be in locations separated by a great distance, yet the devices attached to them are in the same subnet, isolated from other devices. For example, VLAN 3 is assigned to two access ports on one switch and four access ports on the other. The connected trunk ports are what allow the VLAN three frames to flow from one switch to the other. This concept of trunking switches together can be extended beyond the two switches shown here.

A more typical example is shown in Figure 4-28 on page 112. This example shows how a router is used with VLANs.

IBM zSeries Open Storage Attachment

T

Figure 4-28 VLAN scenario with routing

We make the following observations about the network in this diagram:

 Switch ports are represented by dark squares. The larger squares are trunk ports, the small squares are access ports.

 Again we have two switches in physically separate locations, and connected by trunk ports.

 Switch 2 has a hub with several systems connected to it.

 Switch 1 has a trunk port connection to a router which, in turn, is connected to an external WAN, represented by the cloud.

 VLAN 11 is a network that exists across both locations. Data sent between VLAN 11 devices in the separate locations flows though the trunk port connection.

Router

Hub

Switch 2 Switch

1

VLAN10 VLAN12

VLAN11

LINUXA

Chapter 4. Networking Overview 113

 The router is a VLAN-capable device, attached to one of the trunk ports. The correct definitions in the router provide a routing path between VLAN 10 and VLAN 12, and between either of these networks and the WAN. This is usually done by defining a virtual network device against the physical port on the router, linking that virtual interface to the VLAN, and enabling the interface for routing.

 VLAN 11 has no access to any other VLAN, or the WAN. Even though VLAN 11 shares access to trunk ports in both switches with VLAN 12, the VLAN architecture prevents traffic from flowing between the two networks.

If routing to VLAN 11 is required, the Switch 1 trunk port to the router could be included into VLAN 11 and a virtual interface for VLAN 11 defined in the router.

 The only machines in the entire network that are permitted to access the server LINUXA are those in VLAN 11. This is for the same reason that VLAN 11 cannot access the external network. There is no routing path between VLAN 11 and the other VLANs.

Later in this chapter, we present a working scenario of VLANs using a switch coupled to a z/VM Virtual Switch. See 4.10, “Layer 2 test scenario” on page 126.