Implementing VLANs
What is an end-to-end VLAN?

The term end-to-end VLAN refers to a single VLAN associated with switch ports that are widely dispersed throughout an enterprise network. Traffic for this VLAN is carried throughout the switched network. If many VLANs in a network are end-to-end, special links are required between switches to carry traffic from multiple VLANs.

An end-to-end VLAN has these characteristics:

  • The VLAN is geographically dispersed throughout the network.
  • Users are grouped into the VLAN regardless of physical location.
  • As a user moves throughout a campus, VLAN membership of that user remains the same.
  • Users are typically associated with a given VLAN for network management reasons.
  • All devices on a given VLAN typically have addresses on the same IP subnet.

Because a VLAN represents a Layer 3 segment, end-to-end VLANs allow a single Layer 3 segment to be geographically dispersed throughout the network. Reasons for implementing this design might include:

  • Grouping Users – Users can be grouped on a common IP segment even though they are geographically dispersed.
  • Security – A VLAN may contain resources that should not be accessible to all users on the network, or there may be a reason to confine certain traffic to a particular VLAN.
  • Applying QoS – Traffic from a given VLAN can be given higher or lower access priority to network resources.
  • Routing Avoidance – If much of the VLAN user traffic is destined for devices on that same VLAN and routing to those devices is not desirable, users can access resources on their VLAN without their traffic being routed off the VLAN even though the traffic may traverse multiple switches.
  • Special Purpose VLAN – Sometimes a VLAN is provisioned to carry a single type of traffic that must be dispersed throughout the campus (for example, Multicast, Voice or Visitor VLANs).
  • Poor Design – For no clear purpose, users are placed in VLANs that span the campus or even WAN networks.

There are some items that should be considered when implementing end-to-end VLANS. Switch ports are provisioned for each user and associated with a given VLAN. Because users on an end-to-end VLAN may be anywhere in the network, all switches must be aware of that VLAN. This means that all switches carrying traffic for end-to-end VLANs are required to have identical VLAN databases. Also, flooded traffic for the VLAN is, by default, passed to every switch even if it does not currently have any active ports in the particular end-to-end VLAN. Finally, troubleshooting devices on a campus with end-to-end VLANs can be challenging as the traffic for a single VLAN can traverse multiple switching in a large area of the campus.

Example: VLAN Implementation
In a military setting, one VLAN is designated to carry top-secret data. Users with access to that data are widely dispersed throughout the network. Because all devices on that VLAN have similar security requirements, security is handled by access lists at the Layer 3 devices which route traffic onto the segment (VLAN). Security can be applied VLAN wide without addressing security at each switch in the network which might have only a single user on the top secret VLAN.