In the last article we looked at IP timing and its place in a broadcast network. In this article we continue the theme of looking at a network from a broadcast engineers’ point of view so they can better communicate with the IT department, and look at the problem VLANs are trying to solve.
VLANs work at the layer 2 level, that is Ethernet. They are similar to subnets but not the same, provide network security and improved performance.
IP has been successful in the internet and media domain as it is transport stream independent. That is, it can work with Ethernet, ISDN, ATM, serial and a whole plethora of different underlying hardware distribution networks. Video and audio streams provide a comparative analogy as they can both exist independently of SDI or computer networks.
Managed Switches Support VLAN
A single Ethernet network can have thousands of devices connected to it through the use of hubs, switches and bridges. Hubs are rarely used as they replicate all of the traffic on one port to all of the ports on the rest of the hub, causing congestion and collisions.
Switches are available in two varieties, managed and un-managed. An un-managed switch learns which devices are connected to each of its physical ports. When an IP camera wants to send video streams to a vision switcher with IP address 10.2.1.9, it first sends an address resolution protocol (ARP) query, which says “who has IP address 10.2.1.9 and send me your Ethernet address?”, as the layer 2 switcher has not yet learned which interface 10.2.1.9 is connected to, the ARP query is sent to all devices connected to the layer 2 switch.
IP In-dependant of Transport Layer
The vision switcher responds with its Ethernet address; the camera then sets its destination Ethernet address to be that of the vision switcher answering the ARP query. The layer 2 switch monitors this interaction and learns which port 10.2.1.9 is connected to, and from then on will only send traffic for the device to the port its connected to, in effect reducing congestion on the rest of the network, stopping collisions and improving efficiency.
Un-managed layer 2 switches do not require configuration and cannot be used as VLAN devices. Managed layer-2 switches allow more control over the network such as data rate shaping, quality of service configuration and VLAN ports.
A group of switches defines a network, bridges will link several networks together of the same protocol type, in the case of Ethernet this is a layer 2 bridge. So if Studio-1 is in one building and Studio-2 in another, a bridge can be used to link the two different networks together at the layer 2 level.
At layer 3, if the IP address of a datagram cannot be resolved in the network it is sent to a gateway router, the router has look up tables with destination addresses so that it can forward the datagram to another network, which may also be a different protocol such as ATM or DSL.
Ethernet bridges differ from routers as they can only route layer 2 traffic between networks of the same type, for example Ethernet. But if the user wants to send a datagram to a network of a different type, for example ADSL, a router must be used.
VLANs Solve Security
The fundamental problem with this approach is that within a single Ethernet network, all devices can be seen by all other devices. Camera-1 in studio 1 could send data to the sound desk in studio 3, even with a managed switch. This may increase flexibility but the network becomes congested extremely quickly and security is an obvious issue. Equipment may stop working properly as a sound desk would not respond well to having data from many camera’s sent to it.
VLANs are a solution to both these problems.
Layer 2 switches, when configured to operate in VLAN mode can logically separate an entire Ethernet network into many different logical networks. The key here is “logical”, the devices can still be connected to the same physical switcher, but the ports can be labelled with different VLAN identifiers (VLAN ID’s), the algorithms within the switchers stop Ethernet datagrams being sent to ports with different VLAN ID’s, thus greatly improving security and congestion handling.
The layer 2 switch inserts the VLAN ID into the header of an Ethernet packet as it enters the switch, sends it to the appropriate port, and just as the datagram leaves the switch at the destination end the VLAN ID data is removed. From the point of view of the user the VLAN ID is never seen.
VLANs Connected with IP Routers
Each port on the switch can be configured as either an access or trunk type. Access ports can have only one VLAN configured in the interface and carry traffic for only one VLAN. Trunk ports can have two or more VLANs configured on the interface and can carry several VLANs simultaneously. Trunk ports are generally used to route VLANs to different switches.
Although each access interface can have only one VLAN, they can all be different VLAN ID’s on the same switch. This is where the logical separation, security and reduction of congestion takes place. If port 1 has VLAN1, port 2 has VLAN2 and port 3 has VLAN3 configured in the switch, then none of the devices connected on each of these ports can see the other devices. So if camera 1 is connected on VLAN1, microphone 1 is connected to VLAN2, then camera 1 media streams cannot be sent to the microphone on VLAN2.
Television fundamentally differs from IT as we are used to sending signals along a cable in one direction only, in IT Ethernet is bi-directions, so it's possible to send camera video packets to a microphone. Good network design is needed to stop this.
Sometimes a device may need access to a different VLAN. If the producers’ computer in Studio-1 was attached to VLAN11 and they needed email access which was on VLAN90, then a router would be needed to connect the two networks together. This doesn’t compromise security as the network administrator will be able to configure the router to allow only email traffic to the computer.
Generally speaking, each IP subnet is aligned to a VLAN ID, this makes administration easier and routing between different VLAN’s more intuitive. Some layer 2 switches have layer 3 routers built into them allowing routing between VLANs. If the layer 2 switcher does not have a router built into it, then an external layer 3 router must be used.
You might also like...
In the previous articles in this series we looked at advanced server security and out-of-band monitoring and control, especially with security validation of peripheral device firmware. In this article, we investigate virtualization further and its benefits for building secure broadcast…
In this thought-provoking missive, Gary Olson delivers his predictions and insights for IBC 2019.
In the previous article in this series we looked at advanced server security and how the controller within a hard disk drive or SSD can be vulnerable to hacking even with the most advanced firewalls and anti-virus software. In this…
A major development has happened in the broadcast industry with the adoption of software running on COTS servers for processing uncompressed real-time video. Up to recently, this had not even appeared on the radar, but new technology evolution and innovation…
Broadcasters continue to see the benefits of IP and many are integrating piecemeal to build hybrid SDI-IP systems. At a first glance, monitoring of hybrid systems may seem to be just an extension of existing practices. However, the complex interaction…