Data processing systems are now often used as a primary tool for information storage, protection, management, and access. The advantages of keeping information in digital form are well known. Centrally located data storage resources enable enterprises of all kinds to consolidate their information in one place. By taking advantage of the ubiquitous availability of computer networks, such consolidation allows information to be widely available at many different locations, while also being managed by fewer people more efficiently.
For example, a high performance data processor such as a file server can be designed to efficiently retrieve information from a centralized bank of disks or tape drives. The file server can then be provided with one or more Network Interface Cards (NICs) to provide access to the stored data from client computers connected to a communication network. The specific type of network infrastructure depends upon the needs of the organization, but often it includes network equipment that uses the Institute of Electrical and Electronic Engineers (IEEE) 802.3 Ethernet local area network protocols implemented at the physical layer, as well as higher layer Transmission Control Protocol (TCP), Universal Datagram Protocol (UDP) Internet Protocol (IP), Asynchronous Transfer Method (ATM), and other communication protocols.
In this fashion, the file server may receive requests for access to documents and other files from client computers connected to the communication network. Each such request is typically transmitted in the payload of a TCP or UDP packet which itself includes a Media Access Control (MAC) destination address assigned to one or more network device ports in the file server.
Certain installations aggregate the demands for data storage access among multiple independent users such as Internet Service Providers (ISPs), or in corporate intranets. The relatively large resulting local area network structures can be divided into physical work groups using devices such as Local Area Network (LAN) bridges, to help restrict packet traffic, improve network response time, and also some level of security based upon physical location.
However a logical segmentation of users is also possible, regardless of their physical location, using so called Virtual LAN (VLAN) devices. VLANs offers security, administration, and management of network broadcast activity in much the same way that physically separate LANs would. While VLANs provide logical separation of network traffic, they do not require that work group members to be physically connected to the same switch or hub.
Typical VLAN components include high performance switches that logically segment connected end stations. This allows network managers to group switch ports and the users connected to them into logically defined groups of interest. These groupings can, for example, be co-workers within the same department, a cross-functional product team, or diverse users sharing the same network application or software. By grouping ports and users together across multiple switches, VLANs can span single building infrastructures, interconnected buildings, or even wide area regional networks.
VLANs thus provide the ability for an organization to be physically dispersed throughout a company while maintaining its group identities. For example, accounting personnel might be located in a manufacturing facility, in a research development center, in a field office, as well as in a corporate office. A VLAN provides the necessary security and administration features so that all group members appear to reside on the same virtual network sharing traffic and access rights only with each other.
The network switch is typically a core component of a VLAN, serving as an entry point for traffic originating from end station devices into a switch fabric for communication across an enterprise. The intelligence to group users, ports, or logical addresses into common communities of interest is provided by filtering and forwarding decisions on a packet by packet basis, including packet filtering and packet identification.
The packet identification or so-called “tagging” function assigns the same unique identification (ID) to packets belonging to the same VLAN.
Packet filtering is a technique that examines the particular VLAN ID information before making decision about how to process a packet. For example, a packet VLAN ID is checked when it is either received or forwarded by the VLAN enabled switch. This concept of packet filtering is analogous to those filtering functions commonly implemented in routers.
VLANs may therefore be positioned to solve a number of problems associated with personnel moving, adding, or changing locations within a building or campus. VLANs also provide the benefit of tighter network security by establishing secure and well defined user groups to which traffic is limited, and better management and control of broadcast message activity.