The term VLAN stands for virtual local area network. To understand VLANs, let's start with a network design that does not employ VLANs. Figure 1 shows a simplified diagram of a typical broadcast facility. In this diagram, all nonbroadcast operations computers, with the exception of on-air systems, connect into a single core switch. The on-air core is on a separate switch. At the other end of the drawing, Web servers, stream servers and visitor's wireless routers are in a demilitarized zone (DMZ). The DMZ permits these computers to be available on the Internet, but isolates them from more sensitive internal systems.
At first, this might seem like a reasonable design. However, it suffers from a few critical problems:
- The network is not segmented by function. Regular office communications is intermingled with production, traffic and news.
- The network is not segmented by traffic type. Heavy-weight video transfers in production are mixed with regular e-mail traffic.
- The design does not attempt to contain network hardware failures. A single network card failure could take down the entire facility.
- The design does not take advantage of increased security available through proper network design.
Why VLANs fit broadcast
VLAN technology is a good fit with the broadcast environment for several reasons. First, broadcasters typically run two specific types of traffic on their networks — video and all other. Second, broadcasters require reliability on certain services, but not on others. Third, broadcasters typically employ security in layers. VLANs help broadcasters design networks that meet these requirements.
Before revising the design above, it would help to understand more about how a VLAN works. As Figure 2 on page 26 shows, a switch can be configured to contain several VLANs. In this illustration, ports 1-4 are assigned to VLAN 1, and ports 5-12 are assigned to VLAN 2. The switch restricts the visibility and communications between ports in different VLANs.
In technical terms, the VLAN creates a broadcast domain. Only computers connected to physical ports grouped together under the same VLAN are in the same broadcast domain. To connect between two ports not on the same VLAN, you have to explicitly route the traffic from one VLAN to another. This means that network traffic can be segmented on the same switch. For example, a switch could be configured so that office traffic is not seen by broadcast devices and vice versa. VLANs can extend across multiple switches so that computers located in physically remote locations are connected together across the same VLAN. You can have a traffic computer located in master control, but confined to a traffic VLAN, even though the traffic computer is physically connected to an on-air network switch. VLANS can also be used to isolate traffic on the post-production network such that with proper network design, large video file transfers do not adversely impact the rest of the network.
Here are some technical details regarding VLAN construction. This information comes from a Broadcast Engineering webcast given by myself and Neville Wheeler and Robert Welch of Cisco in March 2006.
- Ethernet switch ports are configured for a specific VLANAs shown in Figure 2, each Ethernet switch port is assigned to a specific VLAN on the switch. VLANs are an all-or-nothing approach. Once a switch is set to use VLANs, every port on the switch must be assigned to a VLAN.
- Hosts (servers) are isolated by VLANTypically, servers are assigned their own VLAN. This allows the network administrator to keep server traffic separate, moderate network loading and orchestrate network traffic paths in complex, heavily loaded networks.
- Each VLAN is a broadcast domainAs mentioned earlier, each VLAN is a broadcast domain. Ethernet networks rely on a broadcast address — an address that is monitored by all hardware on the same network. Messages sent to this address are read by every client on the same network. On large networks, the broadcast traffic can become so great that it significantly impacts overall throughput. VLANs reduce broadcast traffic on a network.I have seen two cases where network hardware has failed in such a way that the card sent a stream of continuous broadcast messages. The volume of messages was so high that it swamped the entire network. These failures are known as broadcast storms. A properly engineered VLAN will contain broadcast storms to the VLAN itself rather than propagate these messages across the entire facility.
- Each VLAN is a different subnetThe number of available Ethernet addresses on a VLAN can be controlled by the network administrator. Subnetting is an involved topic. To learn more, search for subnet tutorials on the Internet. Also, most basic networking books contain chapters on network addressing and subnetting.
- Inter-VLAN communications requires routingCommunications between different VLANs requires that the network administrator specifically allow it. This is a built-in security feature of VLANs, which is especially valuable to the broadcaster. Unless you specifically permit it, computers on an office VLAN will not be able to communicate to any on-air, news or production systems. Remember, this is being done at the physical switch port level. No matter what a hacker tries, if his or her computer is plugged in to an office jack, it will not be able to see the mission-critical networks.
- First line of defense includes MAC filter, rate limiting and port speedTo further protect your on-air and mission-critical systems, you can use VLANs combined with media access control (MAC) address filtering to prohibit access to networks not only by port, but by MAC address of the client machine. A MAC address uniquely identifies a specific network interface card on the network. You can search my previous Broadcast Engineering network tutorials at www.broadcastengineering.com for more information about MAC addressing. To keep VLANs from overloading switches, limit the maximum overall bit rate on the VLAN and limit port speeds as well. This will keep one client from crashing your switch or network by oversubscribing the available bandwidth on the network.
- IEEE 802.1q trunk connections between switches extends VLANs to other switchesFor curious readers, IEEE 802.1q protocol is used behind the scenes to build VLANs across multiple switches. Without a protocol such as 802.1q, VLANs would be limited to a single switch. 802.1q-compliant switches add a tag after the MAC address to identify which VLAN owns the packet. The tag is used by the destination switch to deliver the packet to the correct port(s) on the switch, but the switch removes the 802.1q tag before it delivers the packet to the port.
VLANs require a deeper understanding of networking technology than you might find in the typical office environment. That said, I have been impressed by the caliber of network engineers in many broadcast facilities. If you are reasonably comfortable with network technology but have not yet worked with VLANs, you will find the topic interesting and not hard to grasp. The benefits of VLANs for broadcasters outweigh the added knowledge needed to implement them.
VLANs require that everyone who maintains the network be familiar with the technology, because it radically alters the behavior of network switches. Someone who is not familiar with VLANs may plug a piece of equipment into a switch port and then waste hours if not days trying to figure out why the equipment will not work properly.
Brad Gilmer is president of Gilmer & Associates, a technology and management consulting company.
Send questions and comments to:firstname.lastname@example.org