Fusion tool bar
Archives
What's New
Site Map

Scroll to bottom for text toolbar


The ineffable VLAN
Like the blind men and the elephant, VLAN means different things to different vendors

By Edwin E. Mier and Robert J. Smithers Jr.
Network World, 2/17/97

VLAN may not be as hot a buzzword as Java or network computer, but it has a lot in common with them: It means different things to different vendors, none of whose offerings interoperate.

Our testing was a little like the blind men who walk up to an elephant, encounter various parts of the animal's anatomy and each come away with totally different perceptions of the beast's true nature. We didn't work with blinders on, but it became clear early in the testing process that virtual LAN (VLAN) products from different vendors have very little in common.

But we found that VLANs succeed, to varying degrees, in addressing the uncontrolled proliferation of broadcast and multicast traffic on large networks.

Without question, Xylan Corp. offers the most versatility and functionality in its LANs. We tested the company's PizzaSwitch, with 12 switched Ethernet ports, two Fast Ethernet uplink ports and a multislot Omni-5 OmniSwitch, configured with Fast Ethernet ports.

Plaintree Systems, Inc.'s VLAN support was also impressive. Plaintree brought in its WaveSwitch 1018, with 16 switched Ethernet ports, two Fast Ethernet ports and a high-end, modular WaveSwitch 4800, configured with a half dozen dual 10/100Base-T port modules. In addition to the low-level ''port groupings'' basis for VLANs that Bay Networks, Inc. and Cisco Systems, Inc. support, Plaintree lets users build VLANs based on nodes' media access control (MAC) addresses and ''protocol groupings.''

3Com Corp. submitted its SuperStack II (formerly LinkSwitch) 1000 Ethernet switch with Fast Ethernet uplink, and a 3000 switch, with eight Fast Ethernet ports. The Superstack II can becoupled with the latest VLAN-control software from 3Com (still available only on Unix. as part of the Transcend Enterprise Manager for Unix suite) and a new Windows-based application called VLAN Server. As a result, 3Com users can now build multiple-switch VLANs based on station MAC addresses. However, 3Com's VLAN scheme still does not provide network-layer in telligence.

3Com's new VLAN architecture is a little complicated. And users should be aware that, if they deploy the new MAC-based VLAN, they cannot operate their VLANs based on port groupings as they do now.

Cisco sent in two multislot Catalyst 5000 switches, with modules for switched Ethernet and Fast Ethernet. Like Bay, Cisco's support of VLANs with its Catalyst 5000 switches is based only on low-level port groupings. Unlike Bay, however,Cisco's VLANs can be set up and controlled across multiple Catalyst 5000s.

Cisco's VLAN control software's easy-to-use interface compensates somewhat for its fairly low-level VLAN functionality. The vendor's VLANs are solid and easy to configure but are not very sophisticated.

Bay submitted two of its multislot Centillion 100 switches, configured identically, with a mix of switched Ethernet and Fast Ethernet ports. Bay's brand of VLAN consists primarily of port groupings. Were it not for the company's built-in packet filtering, which lets a knowledgeable user create tailored VLANs based on any user-defined packet criteria, Bay would not have been a contestant in this testing. In addition, Bay is the only vendor of the five we tested whose VLANs are still limited to a single switch environment. As a result, we would place Bay near the bottom of the VLAN functionality totem pole.

Bay: a switch at a time, for now

You cannot sit at a console running Bay's SpeedView VLAN control application and set up a VLAN that ties together ports on different switches. A link between switches can carry the traffic for just one VLAN. So, while multiple switches technically can belong to the same VLAN, you need a discrete switch-to-switch link for each one. That's hardly efficient or practical, because it eats up switch ports and wastes a lot of bandwidth. An interswitch ''trunk'' link in the Bay environment can not be used to carry traffic for multiple VLANs at the same time.

Bay's built-in, user-defined packet filtering, however, lets users create VLANs - a single switch at a time - that pass or accept packets based on any field of data in the packet. Keep in mind, the interface for creating filters is pretty rugged; to use it, users need to know how control information is contained in packets. Bay also has the most tedious and nonintuitive interface for moving a port from one VLAN to another. In fact, the interface takes more time and more steps than Plaintree's, whose VLANs are set up via a command-line interface.

Remember, in Bay's case, you need to think in terms of moving ports rather than nodes, stations or users, because the basis for Bay's VLANs is port groupings. Any device connected to a port on a

Centillion 100 switch belongs to whichever VLAN that port is assigned to. And if a station is moved to another port that is assigned to a different VLAN, it cannot communicate until the administrator manually reassigns the port to the appropriate VLAN.

SpeedView/Unix, Bay's VLAN-control application - a component of the Optivity LAN suite - is graphical and, for the most part, is point and click (regrettably, not drag and drop like many other VLAN-control applications). However, it is hard to figure out what you have to do to make VLAN changes, and you can get lost in the screen layout.

SpeedView/Unix would not always apply the VLAN changes we entered, although it appeared to the application that the changes were made. We could not learn why this happened, but we did discover that, on occasion, the SpeedView/Windows application would show a different VLAN configuration than the Unix application for the same switch. The Windows application tended to be correct in its VLAN views.

The Windows application does present some problems, however. The interface is not at all like the one used in the Unix version. What is more, the Windows application interacts with a switch's agent using a completely different protocol than that used by the Unix software (which is pure SNMP over IP). The Windows application uses a proprietary Logical Link Control-type protocol that, it turns out, can not be routed over a backbone net work, as SNMP over IP can.

Clearly, Bay lags behind some of its VLAN competitors, especially with regard to VLAN functionality and multiple switch VLAN support. Bay customers may grimace, too, at the fact that the VLAN capabilities and control software we tested for the Centillion 100 switch do not apply to, or work with, the vendor's popular 28000 series switches.

On a bright note for Bay, though, our performance tests did not detect any leakage of traffic - unicast, broadcast or multicast - across VLAN boundaries.

Cisco: software still in beta

We found VLAN setup and moving of ports (not stations or nodes) among VLANs extremely simple and intuitive with Cisco's software - even though we could not get the application the company gave us to use for VLAN management up and running.

The new software that would not work was VLAN Director, Version 1.2 beta. This looked to be a pretty sophisticated application with a built-in database, but we never found out for sure. The software reportedly runs only on NT Workstation, the older Version 3.51, and requires the NTFS file system (rather than the DOS and Windows FAT file system). We provided all this and built and rebuilt various NT Workstation platforms for more than a week, with near-continuous input from Cisco technical support. But no dice. We could not get the application loaded or running.

But things turned out pretty well for Cisco anyway. In lieu of VLAN Director, we used the integral VLAN-control capabilities of the CiscoView 3.1 application, another component of the CiscoWorks for Switched Internetworks 2.0 suite. CiscoView worked simply and intuitively, with reliable drag-and-drop assignment of ports from one VLAN to another. It is hard to know what VLAN Director would have added, but it could not have been any easier to use than CiscoView.

Cisco did not offer the sophisticated packet-filtering capability that Bay did, but Cisco did support its VLANs across a network of multiple switches. It does this through a tag switching protocol it developed, in which a switch appends a 4-byte information field to packets it sends across specially designated interswitch trunk links. This tag tells the receiving switch to which VLAN the data belongs.

We found this control mechanism worked well and reliably. And as with Bay, we detected no traffic leakage across VLAN boundaries.

Plaintree: a plain-old command line

The VLAN control software inside the Plaintree switches is pretty slick. It can keep track of individual node addresses and their association with a particular VLAN, as well as so it can also keep track of switch ports. Or the software lets users constrain all traffic of the same network-layer protocol - such as IPX, IP or even DECnet - to within its own VLAN. Plaintree's VLAN support operates across multiple switches, too.

With port-grouping-based VLANs, a node can belong to only one VLAN for as long as it is connected to the same switch port. Unfortunately, many workstations in today's large organizations must communicate using different protocols at different times - sometimes even at the same time. A station on a Plaintree VLAN can do this. For example, a station might participate in one VLAN and access a Novell, Inc. NetWare server when communicating via IPX as a NetWare client, then be automatically moved to another VLAN when speaking IP for access to the organization's firewall and Internet connection. A node can be associated with as many as four VLANs in this way.

But one aspect of Plaintree's VLAN support is less than impressive: the command-line interface the user must wrestle with for VLAN setup and control.

According to the vendor, a VLAN-control application based on a graphical user interface is coming in the second quarter of this year. If it is anything like the VLAN capabilities built into the switch's operating code, it may be worth waiting for.

3Com: moves and changes, and leaks

Users of 3Com's popular 1000 and 3000 switches (formerly called the LinkSwitch series, now called SuperStack II) have had port-group ing-based VLANs for some time. With the latest switch operating software, Version 2.1, however, 3Com has moved up in the VLAN-functionality chain.

The MAC-based VLANs rely on a new Windows application, VLAN Server, which maintains a database of MAC-to-VLAN associations. A PC running this application must be accessible to the 1000 and 3000 switches; a secondary, backup VLAN Server station is reportedly also supported. We tested a beta version.

3Com says the VLAN Server software will be integrated into the next version of Transcend Enterprise Manager for Windows - 6.0, due out sometime this month. A version of this software that loads and runs right on the Unix management platform is on tap for March.

The new VLAN architecture has several definite pluses. For one, moves and changes are handled automatically.

If a station is moved from one switch to another, the switch sees an unknown MAC address when it begins transmitting and queries the VLAN Server station (via SNMP over IP) about which VLAN it belongs to. If the VLAN Server does not know about it, the node is assigned to a default VLAN, pending a manual action at the management station that assigns it to the appropriate VLAN. If it has been assigned to a particular VLAN in the past, it tells the switch the correct VLAN for the node.

The management application used for assigning nodes to VLANs, part of the vendor's Transcend Enterprise Manager for Unix, is still a little rough around the edges. But its drag-and-drop features are reasonably intuitive to use. In addition, it is well aligned with the vendor's ATM-VLAN management application.

On the downside, the new MAC-based VLAN architecture no longer lets you plug hub links into the switches. So users who want to feed traffic from a workgroup Ethernet hub into a 1000 switch for concentration onto a high-speed Fast Ethernet backbone cannot use the new VLAN scheme. It supports only a single station per switch port. That could end up being a costly limitation in a large network.

3Com uses 4-byte packet tagging over links among switches that resembles Cisco's. This is the mechanism used to run traffic from multiple VLANs concurrently over the same switch-to-switch link and to deploy VLANs across multiple switches. But despite the similarity with Cisco's tagging (which Cisco calls ISL, or Inter-Switch Link protocol), 3Com's implementation is different and proprietary, and the two vendors' VLANs will not work together.

A more substantial problem popped up in our lab testing. We found that broadcast traffic delivered to a Fast Ethernet port on a 3000 switch would - in some cases, and just intermittently - leak from one VLAN to another.

3Com was adamant in assuring us that this problem in the beta version of VLAN Server will be fixed before general release.

Xylan: best VLANs in this round

Xylan's performance did not have an auspicious beginning. The vendor initially shipped us AutoTracker Version 2.0.6, the then-current Windows software for VLAN setup and control. With this version, things did not do what they were supposed to, and the software itself seemed unstable.

Fortunately, all new software arrived a week later. It worked well and was, to the extent we could tell, stable and reliable. So if you plan to use Xylan's VLANs, be sure you are running at least Version 2.1 of AutoTracker, with the latest switch operating code version. (We ended up with 2.1.3 of the switch firmware.)

You can predefine policies for the segregation of network stations into VLANs and then leave the switches on autopilot to create VLANs for you. For example, you can set up the switches to? automatically segregate users into one VLAN for NetWare clients, another for users of Lotus Development Corp.'s Notes and another for all other clients.

You can also set up VLANs on port groupings, by MAC address, by network-layer protocol groupings and even by some higher-than-network-layer criteria. For example, you could define all nodes on the same IP subnet to be part of the same VLAN. Then you could move any node to any switch port, and the switch software would automatically detect it and reassign the node onto the VLAN with its proper IP subnet.

For getting from one VLAN to another, all other vendors tested gave us the same answer:

''Well, you've got to do that through an external router.'' However, Xylan's switches include integral routing of IP and IPX, which works very well.

Xylan supports all of this across multiple switch environments. If network-layer criteria are used for VLANs (for example, protocol groupings), then movement of traffic from multiple VLANs across the same switch-to-switch link is not an issue - the receiving switch just looks at the protocol and switches the packet accordingly.

For port groupings and MAC-based VLANs, though, Xylan has developed its own proprietary interswitch protocol. The vendor has adopted the message structure of the Spanning Tree Protocol (STP), which is used and understood by nearly all switches and bridges. Xylan uses a proprietary data format for switch-to-switch VLAN control information, within an STP-type message structure.

The latest release of the AutoTracker VLAN control software makes moves and changes easy and intuitive, with a drag-and-drop interface. Of the vendors tested, we believe Xylan's VLAN-control interface, which is remarkably similar to Novell Directory Services' directory in appearance and structure, allows users to make VLAN changes the fastest and easiest.

Round up the rest

In addition to the five we tested here, at least a dozen other switch vendors offer VLAN products. You should thoroughly explore any contenders appropriate to your needs before you buy.

For now, it seems there are as many different forms and flavors of VLANs as there are vendors with VLAN offerings. And we underscore the fact that, for now, users should not expect any two vendors' VLANs to interoperate.

Prolifics: (201) 343-3255.

Feedback | Network World, Inc. | Sponsor index
How to Advertise | Copyright

Home | NetFlash | This Week | Industry/Stocks
Buyer's Guides/Tests | Net Resources | Forums | Careers
Seminars & Events | Product Demos/Info
Audio Primers | IntraNet

For more info:

ScoreCard and NetResults - How we ranked them, which specific products we tested and contact info.

How we did it

Our requirement to support both Ethernet and Fast Ethernet in the same virtual LAN (VLAN) posed problems for some vendors still working on integrating Fast Ethernet into their VLANs and who were not yet ready to show their stuff. Digital Equipment Corp., NBase Communications and UB Networks, Inc. politely bowed out.

There were also a number of ATM-oriented vendors who, it seemed, had their switched Ethernet and ATM VLAN acts together, but had not yet brought Fast Ethernet into their VLAN fold. Consequently, Agile Networks, Inc., FORE Systems and Newbridge Networks, Inc. were out.

One other vendor, Cabletron Systems, Inc., initially accepted the invitation but later declined to participate without comment.

Mier is president and Smithers is manager of testing services at Mier Communications, Inc., a Princeton Junction, N.J.-based networking consultancy and product test center. They can be reached via E-mail at ed@mier.com and rob@mier.com