LAN Segmentation

This page will discuss the advantages of LAN segmentation and will describe LAN segmentation using bridges, switches, and routers.  Also described will be the benefits of using each of these three internetworking devices.

When separate networks are needed or if a network has reached its physical limitations, segmentation is used.  Segmenting a LAN can extend the network, reduce congestion, isolate network problems, and improve security.

• Extending the network -- When the maximum physical limitations of a network has been reached, routers may be added to create new segments to allow additional hosts onto the LAN.
• Reduce Congestion -- As the number of hosts on a single network increases, the bandwidth required also increases.  By segmenting the LAN, you can reduce the number of hosts per network.  If traffic consists of communications between hosts on the same segment, then bandwidth usage is substantially reduced.
• Isolate network problems -- By dividing the network into smaller segments, you reduce the overflow of problems from one segment to the next.  Hardware and software failures are some of the problems that can be reduced to affect smaller portions of the network.
• Improve Security -- By utilizing segments, a network administrator can ensure that the internal structure of the network will not be visible from an outside source.  Privileged packets will only be broadcast on the subnet it originated from, not throughout the network.

The term bridging refers to a technology in which a device (known as a bridge) connects two or more LAN segments.  A bridge transmits datagrams from one segment to their destinations on other segments.

Bridges are capable of filtering frames based on any Layer 2 fields.  A bridge, for example, can be programmed to reject (not forward) all frames sourced from a particular network. Because link-layer information often includes a reference to an upper-layer protocol, bridges usually can filter on this parameter.  Furthermore, filters can be helpful in dealing with unnecessary broadcast and multicast packets.  Because only a certain percentage of traffic is forwarded, a bridge or switch diminishes the traffic experienced by devices on all connected segments.  The bridge or switch will act as a firewall for some potentially damaging network errors, and both accommodate communication between a larger number of devices than would be supported on any single LAN connected to the bridge.

Because routers use Layer 3 addresses, which typically have structure, routers can use techniques (such as address summarization) to build networks that maintain performance and responsiveness as they grow in size.  Segments are interconnected by routers to enable communication between LANs while blocking other types of traffic.  Routers also allow for the interconnection of disparate LAN and WAN technologies while also implementing broadcast filters and logical firewalls.  In general, if you need advanced internetworking services, such as broadcast firewalling and communication between dissimilar LANs, routers are necessary.

Switches are data link layer devices that, like bridges, enable multiple physical LAN segments to be interconnected into a single larger network.  Similar to bridges, switches forward and flood traffic based on MAC addresses.  Because switching is performed in hardware instead of in software, however, it is significantly faster.  Switches use either store-and-forward switching or cut-through switching when forwarding traffic.

Segmenting shared-media LANs divides the users into two or more separate LAN segments, reducing the number of users contending for bandwidth.  LAN switching technology, which builds upon this trend, employs microsegmentation, which further segments the LAN to fewer users and ultimately to a single user with a dedicated LAN segment.  Each switch port provides a dedicated, 10MB Ethernet segment.  Segments are interconnected by internetworking devices that enable communication between LANs while blocking other types of traffic.  Switches have the intelligence to monitor traffic and compile address tables, which then allows them to forward packets directly to specific ports in the LAN.  Switches also usually provide nonblocking service, which allows multiple conversations (traffic between two ports) to occur simultaneously.

LAN switches can be used to segment networks into logically defined virtual workgroups (VLANs). This logical segmentation, commonly referred to as VLAN communication, offers a fundamental change in how LANs are designed, administered, and managed. Logical segmentation provides substantial benefits in LAN administration, security, and management of network broadcast across the enterprise.

Superior throughput performance, higher port density, lower per-port cost, and greater flexibility have contributed to the emergence of switches as replacement technology for bridges and as complements to routing technology.

Transparent bridges successfully isolate intrasegment traffic, thereby reducing the traffic seen on each individual segment. This usually improves network response times, as seen by the user. 

• Bridges and switches extend the effective length of a LAN, permitting the attachment of distant stations that were not previously permitted.
• Bridges can connect more than two LANs and use the Spanning Tree Algorithm to eliminate loops while still allowing connectivity and redundancy between them.
• Bridges can compensate for speed discrepancies of WAN and LAN connections by using its buffering capabilities.  This is done by storing the incoming data in on-board buffers and sending it over the serial link at a rate that the serial link can accommodate.
• Some bridges are MAC-layer bridges, which bridge between homogeneous networks (for example, IEEE 802.3 and IEEE 802.3), while other bridges can translate between different link-layer protocols (for example, IEEE 802.3 and IEEE 802.5).

Routers offer the following benefits in LAN segmentation:

• Media Transition--Routers are used to connect networks of different media types, taking care of the Layer 3 address translations and fragmentation requirements.
• Broadcast control--By default, routers don't pass broadcasts and therefore restrict the broadcast domain.  In addition to preventing broadcasts from radiating throughout the network, routers are also responsible for generating services to each LAN segment. The following are examples of services that the router provides to the network for a variety of protocols:
  • IP---Proxy ARP and Internet Control Message Protocol (ICMP)
  • IPX---SAP table updates
  • AppleTalk---ZIP table updates
  • Network management---SNMP queries
• Packet Filtering--Routers can filter packets either inbound or outbound between LAN segments or LAN and WAN segments.
• VLAN Communications--Routers remain vital for switched architectures configured as VLANs because they provide the communication between VLANs.
• Large Packets--Routers can handle large packets by fragmenting them into smaller pieces, sending them across the network, and reassembling them whereas bridges discard frames that are too large.

Layer 2 switches offer some or all of the following benefits:

• Unlike hubs and repeaters, switches allow multiple data streams to pass simultaneously.
• LAN switches are used to interconnect multiple LAN segments.  LAN switching provides dedicated, collision-free communication between network devices, with support for multiple simultaneous conversations.
• Collisions--Switches reduce collisions on network segments because they provide dedicated bandwidth to each network segment and each connected segment is in a separate collision domain.
• Bandwidth---LAN switches provide excellent performance for individual users by allocating dedicated bandwidth to each switch port (for example, each network segment). This technique is known as microsegmenting.  An Ethernet LAN switch improves bandwidth by separating collision domains and selectively forwarding traffic to the appropriate segments.
• Dedicated Bandwidth---Switches deliver dedicated bandwidth to users through high-density group switched and switched 10BaseT or 100BaseT Ethernet.
• VLANs---LAN switches can group individual ports into logical switched workgroups called VLANs, thereby restricting the broadcast domain to designated VLAN member ports.  VLANs are also known as switched domains and autonomous switching domains.  Communication between VLANs requires a router.