The term end-to-end VLAN refers to a single VLAN associated with
switch ports that are widely dispersed throughout an enterprise network.
Traffic for this VLAN is carried throughout the switched network. If many VLANs
in a network are end-to-end, special links are required between switches to
carry traffic from multiple VLANs.
An end-to-end VLAN has these
characteristics:
- The VLAN is geographically dispersed throughout the network.
- Users are grouped into the VLAN regardless of physical location.
- As a user moves throughout a campus, VLAN membership of that user remains
the same.
- Users are typically associated with a given VLAN for network management
reasons.
- All devices on a given VLAN typically have addresses on the same IP
subnet.
Because a VLAN represents a Layer 3 segment, end-to-end VLANs allow a
single Layer 3 segment to be geographically dispersed throughout the network.
Reasons for implementing this design might include:
-
Grouping Users – Users can be grouped on a common IP segment even
though they are geographically dispersed.
-
Security – A VLAN may contain resources that should not be
accessible to all users on the network, or there may be a reason to confine
certain traffic to a particular VLAN.
-
Applying QoS – Traffic from a given VLAN can be given higher or
lower access priority to network resources.
-
Routing Avoidance – If much of the VLAN user traffic is destined for
devices on that same VLAN and routing to those devices is not desirable, users
can access resources on their VLAN without their traffic being routed off the
VLAN even though the traffic may traverse multiple switches.
-
Special Purpose VLAN – Sometimes a VLAN is provisioned to carry a
single type of traffic that must be dispersed throughout the campus (for
example, Multicast, Voice or Visitor VLANs).
-
Poor Design – For no clear purpose, users are placed in VLANs that
span the campus or even WAN networks.
There are some items that should be considered when implementing
end-to-end VLANS. Switch ports are provisioned for each user and associated
with a given VLAN. Because users on an end-to-end VLAN may be anywhere in the
network, all switches must be aware of that VLAN. This means that all switches
carrying traffic for end-to-end VLANs are required to have identical VLAN
databases. Also, flooded traffic for the VLAN is, by default, passed to every
switch even if it does not currently have any active ports in the particular
end-to-end VLAN. Finally, troubleshooting devices on a campus with end-to-end
VLANs can be challenging as the traffic for a single VLAN can traverse multiple
switching in a large area of the campus.
Example: VLAN Implementation
In a military setting, one VLAN is designated to carry top-secret
data. Users with access to that data are widely dispersed throughout the
network. Because all devices on that VLAN have similar security requirements,
security is handled by access lists at the Layer 3 devices which route traffic
onto the segment (VLAN). Security can be applied VLAN wide without addressing
security at each switch in the network which might have only a single user on
the top secret VLAN.