The beginning of the end for enterprise network VLANs

It is possible to build a very large, flat IP network for the Wi-Fi domain with today’s WLAN equipment

The beginning of the end for enterprise network VLANs
Christiaan Colen

Many of us cordially detest virtual LANs (VLANs). They require complicated configuration, and consequently they are error-prone. They do not offer fully satisfactory solutions for the problems they are employed to solve, primarily limiting broadcast traffic and segregating devices and their traffic for security purposes. But as the least-worst alternative, they are a fact of life in many networks.

Recent developments in WLAN and data center networking offer opportunities to escape VLANs.

In the enterprise Wi-Fi world, it has long been important to reduce broadcast traffic over the air, and WLAN vendors have been developing techniques along these lines for years. An early feature allowed an access point to act as an ARP proxy for its client devices, answering on their behalf. The success of proxy-ARP functions engendered intervention in other broadcast/multicast protocols to reduce unnecessary traffic and improve performance.

+ Also on Network World: 18 most powerful wireless networking companies +

More recently, Apple introduced Bonjour (zero-config), a broadcast protocol that became the default method for discovering services and devices on a LAN. As WLAN customers, particularly universities, were faced with many BYOD devices, they struggled with this layer 2 broadcast protocol, originally designed for home networks. On the one hand, it opened up all devices on a VLAN even when they had different owners and should not have been shared, while on the other, the protocol would not reveal devices on different VLANs.

This led the WLAN vendors to add more broadcast/multicast tools. They found ways to group devices and users that should be able to inter-communicate, and to provide control such that group members’ devices could see and connect to each other while not seeing or connecting to other groups. These techniques involved manipulation of broadcast discovery protocols, as discovery is a necessary precursor to communication: Control of broadcast protocols segregates devices and traffic.

These two steps—limiting broadcast traffic by use of suppression and proxies, and segregating devices and users into groups by filtering and selective forwarding of broadcasts—achieve the two main goals of VLANs. They have been available for several years and are by now well-proven. It is possible to build a very large, flat IP network for the Wi-Fi domain with today’s WLAN equipment, so much so that we no longer recommend the use of VLAN pooling features.

But while it’s already possible to build very large, flat networks for Wi-Fi, VLAN engineering is so deeply entrenched in large networks that it requires considerable effort to remove it. Maintaining VLAN-based networks is time-consuming, but re-designing them is too big a project for many organizations to take on even though it would generate savings in the long-term. And moving to very large, flat IP networks can stress other infrastructure functions, such as DHCP and routing tables, requiring careful planning. So, a more significant trigger may be required to make the project worthwhile.

IPv6 migration provides an opportunity

For many networks, IPv6 provides such a trigger. Moving to, or more commonly adding, a side-by-side IPv6 capability is a significant project, one that requires new infrastructure functions and network re-design. This re-design can incorporate the existing VLAN structures, but it also represents an opportunity eliminate them in a new network design. (Enabling large, flat IPv6 topologies requires the WLAN to intervene in IPv6 address-assignment protocols with techniques that are now widely implemented.)

While the WLAN infrastructure is ready for large, flat IP networks, wired switches do not incorporate all the necessary features. They are likely to require VLAN engineering for a while.

But change is in the wind, and for these products, it originates in the data center. The advances in self-organization and abstracted configuration and management of data center switches have been impressive—SDN first took hold because large data centers ran out of VLANs. And over time, these will surely spill over into the enterprise networking world. Whether this takes the form of simple, high-level configuration and management of existing VLAN topologies or something more advanced where VLANs can be pruned or eliminated remains to be seen. But since existing practice is painful and solutions exist elsewhere, it is reasonable to conclude that infrastructure vendors will take a look.

Thus we can look forward to a day when configuring and maintaining VLANs is no longer a fact of enterprise life. That day may be far off for many because the work required to re-design large networks is considerable. But the benefits are clear, and IPv6 migration provides an opportunity. 

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT