7VLAN membership

There are 2 methods available to assign VLAN membership, which are static VLANs and
dynamic VLANs.
7.1Static VLANs
In this type of VLAN, the network administrator creates a VLAN by manually assigning a port to
a specific VLAN. It is also known as port-based VLANs. The membership of the port is not
changed until the network administrator change the port assignment. (Vlan membership, 2013)
7.1.1Port-Based VLA
Port-Based VLANs is one of the methods of assigning static VLANs. It works at Layer 1 of OSI
model. The network administrator needs to manually assign each of the switch port to specific
VLANs. When the end user device is connected to a particular port, it will automatically be
assigned to that VLAN.

Figure 1 Example of port-based VLAN membership (CPLC Company)

For example, ports 1 to 10 is assigned to telecommunication department VLAN and port 11 to 20
is assigned to Network Call Centre department (NCC) VLAN. When a device connected to port
5, it becomes members of telecommunication. If the user wants to change port 10 to NCC
VLAN, it needed the help of network administrator to reconfigure the port to the VLAN.

Port-based VLAN perform well in small network. If this applied in large organization, it would
be a daunting management and time consuming task. Every time the user move from 1 port to
another, the network administrator must reconfigure the VLAN membership. (Angelescu, 2010)
7.2Dynamic VLAN Membership
In dynamic VLAN membership, it is not based on the port numbers of a switch. It is rely on the
information of the end user devices, such as MAC address, IP subnet or protocol. When the end
user devices plugged in to a switch, it will use the database to verify the user. By using the
dynamic VLAN membership, it allows the user to move from 1 location to another location but
they are still a member of the VLAN. (static vlan VS dynamic vlan, 2010)
7.2.1Membership by MAC-Address
The membership of the VLAN is provided based on the MAC address of the end user devices.
There is a network interface card (NIC) in every device that connected to the network and each
of them has a unique 12-digit hexadecimal number MAC address. No matter your devices is
connected to a different port or switch, the MAC address will remain the same. Wherever an end
user device is plugged into the network, the switch will query the centralized database to
recognize the member of the assigned VLAN. (theoharakis, 2001)

Switch

VLAN 1
MAC addresses

VLAN 2
MAC addresses

No
1
2
3

MAC_ADD_01MAC_ADD_02MAC_ADD_03
MAC_ADD_04
MAC_ADD_05

MAC_ADD_07

4
5

MAC_ADD_06
---

MAC_ADD_08
MAC_ADD_08

7.2.2Membership by Protocol
VLAN membership can be provided based on the protocols type of the work station.

The IP subnet and IPX network can be assigned to have its own network. For example, all the IP
subnet can be assigned to VLAN 1; the entire IPX network can be assigned to VLAN 2. This
type of membership allows multiple VLAN to be used in a port. (type of vlan, 2000)
Protocol
VLAN

IP
1

IPX
2

This method can permit traffic control based on the basis of its protocol. For example, a
computer and a Voice over IP phone (VOIP) is connected at the same port of the switch. The
traffic of the VOIP is having a higher priority and is time sensitive. The protocol based VLAN
will control the traffic and provide the priority to the VOIP.
The disadvantage of this membership is the network is complex, more experienced and protocol
knowledgeable network administrator is needed on network management. Moreover, large
portion of switches in protocol-based VLAN are layer 3 switches, it make the cost become
higher, if compared to layer 2 switches. (theoharakis, 2001)
7.2.3Membership by IP Subnet Address
IP Subnet
192.126.35.127
140.5.64.1

VLAN
1
2

In this method, the membership assignment of the computers is depending Layer 3 addresses.
The layer 3 addresses are used for mapping to determine the membership of the VLAN and it is
not for any routing purpose. For example, the IP subnet 192.126.35.127 is belongs to VLAN 1
and IP subnet of 140.5.64.1 is belongs to VLAN 2. Reconfiguration is not needed if the users
moved in the same VLAN. The main problem for this type of membership is a longer time is
consumed to forward the packet in this method instead of using MAC address. (type of vlan,
2000)

Evaluation of VLAN membership in CPLC Company

We have planned to assign every department of CPLC Company to different VLANs, it able to
ensure the communication security and isolate broadcast packets. We have chosen to assign the
VLAN membership using MAC address for communication. MAC address based VLAN

membership provides flexible access control. Reconfiguration of the switch is not needed when
the staffs of telecommunication or network operation department move around in the other part
of the building and in same network. This would reduce the workload of the network
administrator. It is because the MAC address is hardwired, the staffs device remain a member of
a particular VLAN. For example, telecommunications department staff can only access to
VLAN 3 and network operation department staff can only access to VLAN5. Moreover, it is
more secured than the physical infrastructure, because the centralized database will check the
mac address of the work station. If the mac address is not recognized by centralized, it will
restrict the work station / illegal users from accessing the network resources. There are 5
departments in the company; approximately there are 100 people in the company. The drawback
of Mac address VLAN membership is all the users must be initially configured to be in at least
one VLAN. This problem would not have large impact towards CPLC Company, as the numbers
of staff and work station are not much. There are many network management tools available in
the market. By using it, the complexity of initial configuration can be reduced. (theoharakis,
2001)

http://books.google.com.my/books?id=OY7a2A-E6jkC& pg=PA53& dq=port+based+vlan+membership& hl=en& sa=X& ei=cSu3UsGcE4aeiQfBvoC gC g& redir_esc=y#v =onepage& q=port%20based%20vlan%20membership& f=false

There are few reasons that I do not choose port-based VLAN membership. Firstly,
reconfiguration is needed as the staff move from 1 port to another port. It would be a nightmare
to the network administrator if any of the department of the CPLC moves from 1 place to another
place again. A large amount of time will be consumed in order to fix this complex stuff.
Secondly, it is not easy to share network resources, like servers and printers. Although by adding
a router to the network for interconnecting the port-based VLAN, this problem can be solved, but
it might increase the possibilities of unauthorized users to access to your network. (port based
vlan)

http://alliedtelesis.com/manuals/AWPLUSV224CLIa1/port_based_VLANs_overvi ew.html

The reason membership by protocol not being used is it is complex. An experienced network
administrator is needed and the cost of layer 3 switches is more expensive than layer 2.
(theoharakis, 2001) Slow packet forwarding in membership by IP based VLAN would be a main
reason for not using in this project. Moreover, another drawback of IP VLAN it would be easy
for a user to change their IP address configured in their system, it would alter their VLAN
membership and easily causes security issues. (skskonnect, 2001)