LinkIQ를 사용한 VLAN 문제 해결
2021년 5월 26일 / 일반
Everyone in the ICT industry has heard of a local area network (LAN) and likely understands that it’s a network made up of a myriad of devices—computers, servers, Wi-Fi access points, VoIP phones, surveillance cameras, etc.—all connected in one physical location.
Since they don’t technically exist physically, virtual LANs (VLANs) that essentially behave as physically separate LANs and enable segregating traffic based on function, are bit more mystifying—especially for installers and technicians who are used to dealing only with physical infrastructure.
Let’s take a closer look at why we have VLANs and how they can impact troubleshooting a cable plant.
What’s the purpose of VLANS and why do we need them?
Any typical LAN environment includes a wide range of devices and computer systems that all serve their own purpose. Some devices may be application specific:
- Access control
- Building automation, etc.
while other LAN devices may be function specific:
- Human resources
- Guests, etc.
All of the devices and systems that connect to a LAN can be located anywhere within a facility, but that doesn’t mean that they should all be able to communicate with one another and have the same usage and permissions.
If all the devices on a LAN have the ability to communicate with each other, see each other’s traffic, and access the same systems, it creates potential internal security issues (imagine everyone in sales having access to accounting or human resource systems). It also means that all devices reside on the same broadcast domain. That means each device within the domain receives broadcast traffic, which is an inherent capability of all LANs for advertising and discovering resources. Having all devices reside within the same broadcast domain can lead to network congestion and degraded performance, as well as render the network susceptible to distributed denial of service attacks and other cybersecurity breaches.
Obviously, it makes sense to segregate various LAN devices and systems into smaller networks in a way that prevents these issues while providing improved network management in a digital world where new systems and application are constantly coming online. While segregation can be accomplished physically by breaking down a LAN into smaller physical subnets, this requires multiple switches, routers, access points, and infrastructure, which is highly inefficient, unmanageable and costly.
Think about it. Does it really make sense to have separate switches in a telecom room or multiple Wi-Fi access points for each system and function within a given space? And what do you do if a device or system needs to move to a whole new space? This is why we need VLANs.
In summary, the purpose of VLANs and why we need them is to provide segmentation for security, network management and scalability, while significantly reducing broadcast traffic and congestion on the network.
How do VLANs work?
VLANs are typically established at the Layer 2 data link level of the OSI model but can also be enabled at the Layer 3 network level for inter-VLAN routing (enabling traffic from one VLAN to another). Most switches today are VLAN-capable, and VLANs are configured through switch software that allows network managers to assign specific switch ports to specific VLANs using VLAN tags. The number of VLANs that can be established on a specific switch depends on the switch but based on the IEEE 802.1Q standard that defines VLAN tagging for Ethernet frames, the number of Layer 2 VLANs on the network cannot exceed 4,096. We won’t get into the details here, but should also point out that switch ports can be configured as access ports that belongs to a single VLAN or as trunk ports that support multiple VLANs.
VLANs can be assigned based on interface, MAC address, IP address, protocols, or a combination thereof. This allows an organization to configure them in whichever way works best for their specific need, such as according to user or business function. In turn, this eases network management and flexibility since devices and systems can be physically located anywhere and moved around a facility while staying on the same VLAN. Security is improved since only devices and systems on the same VLAN can communicate with each other. Traffic flow is improved because each VLAN is its own broadcast domain—broadcasts sent by a device in one domain are not forwarded to devices in another. VLANs also support scalability—as the network grows, creating more VLANs increases the number of domains but keeps their size smaller to maintain network performance and prevent congestion.
In summary, VLANs work by assigning specific switch ports to a VLAN, which is a configuration done through the switch software on VLAN-capable switches.
How to troubleshoot VLANs
When problems arise, troubleshooting the cable plant is typically the first step since that’s where the majority of issues occur. Lack of continuity or poor network performance is often the result of improper termination, damage, subpar components, or network upgrades not supported by the cable plant. These issues are easily identifiable via wiremap and qualification testing, but if everything passes, there is a chance that the problem has to do with improper VLAN assignment. If a device or system is assigned to the wrong VLAN, it won’t be able to send traffic to other devices on that VLAN. Misconfigurations at the switch such as having no port associated with a particular VLAN can also cause the VLAN to go down.
The best way to prevent incorrect VLAN assignments is by maintaining proper documentation, but in a dynamic environment with a lot of moves, adds, and changes, it’s quite possible that a user or device ends up on the wrong switch port and therefore the wrong VLAN. Unfortunately, these issues are impossible to troubleshoot with a basic cable tester, but a cable+network tester like Fluke Networks’ new LinkIQ™ lets you check VLAN information in addition to wiremap, qualification, and PoE testing – all in one low-cost device.
Network switches use standards-based link layer discovery protocol (LLDP) or Cisco discovery protocol (CDP) that allow them to discover connected devices and advertise their capabilities. LinkIQ has the ability to receive discovery protocol packets from a switch for a given link to show the VLAN that the link is assigned to. It will also indicate the name and description of the switch, port ID, and the advertised speeds. On the LinkIQ’s gesture-based touchscreen, that takes up nearly the entire face of the instrument and makes it easy to clearly display large amounts of information, speeds not advertised by the switch are grayed out. This can also help indicate if you used the right speed when qualifying the cable plant.