Chapter 45: MAC Address-based VLANs
632 Section VII: Virtual LANs
Overview
As explained in “Overview” on page 556, VLANs are used to create
independent LAN segments within a network and are typically employed
to improve network performance or security. The AT-9000 Switch offers
several different types of VLANs, including port-based, tagged, and
private VLANs. Membership in these VLANs is determined either by the
port VLAN identifiers (PVIDs) assigned to the ports on the switch or, in the
case of tagged traffic, by the VLAN identifiers within the packets
themselves.
This chapter describes VLANs that are based on the source MAC
addresses of the end nodes that are connected to the switch. With MAC
address-based VLANs, only those nodes whose source MAC addresses
are entered as members of the VLANs can share and access the
resources of the VLANs. This is in contrast to port-based and tagged
VLANs where any node that has access to a switch port can join them as
a member.
One of the principle advantages of this type of VLAN is that it simplifies the
task of managing network users that roam. These are users whose work
requires that they access the network from different points at different
times. The challenge for a network administrator is providing these users
with the same resources regardless of the points at which they access the
network. If you employed port-based or tagged VLANs for roaming users,
you might have to constantly reconfigure the VLANs, moving ports to and
from different virtual LANs, so that the users always have access to the
same network resources. But with MAC address-based VLANs, the switch
can assign network users to the same VLANs and network resources
regardless of the ports from which they access the network.
Egress Ports Implementing MAC address-based VLANs involves more than entering
the MAC addresses of the end nodes of the VLAN members. You must
also designate the egress ports on the switch for the packets from the
nodes. The egress ports define the limits of flooding of packets when a
port receives a unicast packet with an unknown destination address (that
is, an address that has not been learned by the MAC address table).
Without knowing the egress ports of a MAC address-based VLAN, the
switch would be forced to flood the packets on all ports, possibly resulting
in security violations in which end nodes receive packets from other nodes
in different VLANs.
Table 62 illustrates a simple example of the mapping of addresses to
egress ports for a MAC address-based VLAN of six nodes. The example
consists of four workstations, a printer, and a server. Workstation 1, for
instance, is connected to port 1 on the switch and is mapped to egress
ports 5 for the server and 6 for the printer.
To Next Page
Loading...
