Cisco Knowledge Suite Cisco SystemsCisco Press

Cutting Edge
Core Reference
Guided Learning
Networking Architecture
Internet Protocols (IP)
Network Protocols
Transport and Application Protocols
Desktop Protocols
Security and Troubleshooting
Network Resources and Management
Integrated Services

LAN Segmentation


< Back Contents Next >

Routers and LANs



LAN Domains



LAN Segmentation



LAN Backbones



WAN Gateway




Save to MyCKS

IP Routing Fundamentals

From: IP Routing Fundamentals
Author: Mark Sportack
Publisher: Cisco Press (53)
More Information

LAN Segmentation

Although the preceding series of examples seem a bit redundant, it is necessary to develop the context for better appreciating the differences between a LAN's MAC broadcast and/or media access domains. Although these two domains are so closely related as to be virtually synonymous from a user's perspective, they can be intentionally and unambiguously separated. This separation, as demonstrated throughout the preceding section's examples and illustrations, is known as segmentation.

Segmentation is the process of splitting a LAN's domain(s) into two or more separate domains. This allows a LAN to grow beyond its inherent limitations without compromising its performance. It is possible to segment LANs' media access domains, MAC broadcast domains, or both. Segmentation is usually done to improve the performance of a LAN, although it could be done proactively to ensure the continued scalability of the LAN.

Some of the devices that could be used to segment a LAN are bridges, switches, and routers. The functional distinctions between these different segmentation devices lie in the layers of the OSI reference model that they operate in. The point is that there are different tools for segmenting different aspects of a LAN. Selecting the right one for your particular needs absolutely requires understanding the ways that each operates and the effects they have on the LAN's domains.

Segmenting with Bridges

A bridge is a hardware segmentation device that operates at the first two layers of the OSI reference model—the physical and data link layers. Bridges segment a LAN's media access domain. Therefore, installing a bridge between two LAN hubs results in two media access domains that share a common MAC broadcast domain.

In general, all bridges work by building address tables. These tables are built and maintained by a bridge. Each is populated with a two-dimensional array or table. The bridging table maintains an up-to-date listing of every MAC address on the LAN, as well as the physical bridge port connected to the segment containing that address.

In operation, the bridge listens to all LAN traffic. The source and destination MAC addresses of each frame received by the bridge are examined. This allows the bridge to learn which MAC addresses reside on which port and, consequently, which LAN segment.

The destination address is hashed against the bridging table to identify the appropriate port to transmit it from. If the MAC address exists on the same LAN segment that the frame came from, the bridge needs to do nothing with it; it safely assumes that the frame has already been carried to its intended destination.

If the bridging table identifies that MAC address as being on a different segment, however, the bridge then forwards that frame to that segment. It is important to note that the bridge, as far as media access is concerned, must adhere to the media access protocol. In a token-passing network, the bridge must await the token before it can forward the frame. In a contention-based LAN, the bridge must compete for available bandwidth before it can forward the frame.

It is quite possible that the bridge will occasionally receive a frame addressed to a MAC address that the bridge doesn't know about. This can happen when a new device is connected to the network, a bridge's bridging table is “lost,” or a new bridge is installed. In such cases, the bridge will propagate that frame to all its attached LAN segments, except for the one the frame came from.

Bridging, in an IEEE 802-compliant LAN, occurs at the MAC layer. For this reason, bridges are frequently referred to as MAC bridges. MAC bridging is an unnecessarily broad technical term. It effectively describes the layer at which the device operates but does not describe its functionality. In fact, there are three types of MAC bridges:

  • Transparent bridges

  • Translating bridges

  • Speed-buffering bridges

Transparent Bridges

Transparent bridges link together segments of the same type of LAN. The simplest transparent bridge contains just two ports, but transparent bridges may also contain more ports. Figure 3-7 illustrates how a transparent bridge isolates the traffic of two LAN segments by creating two media access domains.

Figure 3-7. Transparent bridges segment the media access domain of a single LAN architecture.

The transparent bridge segments one LAN with one communications channel into two distinct communications channels within a common architecture. This is significant because it means that a bridge can reduce the number of devices in a media access domain by creating two such domains.

It is important to note that transparent bridges do not segment a LAN's MAC broadcast domain. Therefore, in Figure 3-7, MAC broadcasts are still carried throughout the entire LAN. Despite this, the LANs on each side of the bridge function as separate media access domains.

Translating Bridges

A translating bridge, sometimes also referred to as a translational bridge, works in exactly the same manner as a transparent bridge, but it has the added capability to provide the conversion processes needed between two or more LAN architectures. It does this by literally translating the frames of one LAN architecture into the frame structure of another. This is useful for interconnecting Token Ring and Ethernet devices.

Figure 3-8 illustrates using a translating bridge to interconnect a Token Ring and Ethernet LANs. The stations on both LANs may communicate with each other through the bridge as easily as they communicate among themselves.


In Figure 3-8, the Token Ring LAN is depicted as a ring, and the Ethernet is depicted as a bus. This visually reinforces the differences between these two LAN architectures that would not otherwise be evident if they were illustrated using the more familiar star topology.

Figure 3-8. Translating bridges interconnect dissimilar LAN architectures.

The Token Ring and Ethernet LANs in Figure 3-8 retain separate media access domains. Given the radical differences in their media access arbitration techniques, this shouldn't be surprising. What may be surprising, however, is that the bridge unifies their MAC broadcast domains! Therefore, a Token Ring-connected computer can send MAC broadcasts to Ethernet-connected machines.

Perhaps a more useful application of translation bridging is using a more robust LAN architecture as a backbone for client/server LANs. It is quite common, for example, to use FDDI to interconnect Ethernet segments. This is illustrated in Figure 3-9.

Figure 3-9. Translating bridges can also be used to interconnect client/server LANs using a high-performance LAN architecture.

In this scenario, the use of translating bridges creates three separate media access domains: two Ethernet and one FDDI. These bridges, however, do not segment the LANs' MAC broadcast domains. Instead, the bridges unify the three different LANs into a single MAC broadcast domain.


Translation bridging is only possible among LANs that adhere to the IEEE's standards for MAC addressing.

Translating bridges are highly specialized devices. Therefore, unless a bridge is specifically identified as a translating bridge, do not assume that it can bridge dissimilar LAN architectures.

Speed-Buffering Bridges

The last type of bridge is the speed-buffering bridge. Speed-buffering bridges have long been used to interconnect LAN segments with similar architectures but different transmission rates. Examples of this include the following:

  • 4 Mbps to 16 Mbps Token Ring

  • 1 Mbps to 10 Mbps Ethernet

  • 10 Mbps to 100 Mbps Ethernet


You could argue that translating bridges are, in effect, also speed-buffering bridges. To the extent that most of the translations occur between LAN architectures with different transmission rates, translation bridges must also perform speed buffering. Their primary function is translation, however; speed buffering is an adjunct task made necessary by the translation.

Figure 3-10 illustrates a speed-buffering bridge interconnecting a 10 Mbps Ethernet LAN with a 100 Mbps Ethernet LAN. In this illustration, the servers are concentrated together on a single high-speed LAN segment, and the clients share a lower-speed segment.

Figure 3-10. Using a speed-buffering bridge to interconnect 10 and 100 Mbps Ethernet LANs.

In Figure 3-10, the clients and the servers enjoy separate media access domains, but now they share a common MAC broadcast domain.

Bridging Today

Generally speaking, bridges are simple and inexpensive devices. They are self-learning, so the administrative overheads are negligible. A bridge is usually a two-port device, but bridges can also have more ports. Such multiport bridges are useful in internetworking more than two LAN environments.

Bridges function transparently from both a user's and an administrator's perspective. The variety of bridges makes them a flexible mechanism for improving the performance of a LAN. Bridging is on the decline. This isn't due to their functions no longer being needed. Quite the contrary: Their functionality is required more today than ever before! Consequently, their functions have been almost completely usurped by other networking devices.

Their functionality has been built in to routers, multitopology LAN hubs, and, most importantly, LAN switches. Many stand- alone and stackable hubs are also available with higher performance up-link ports. All are either translating, speed-buffering, or transparent bridges in disguise.

Segmenting with Switches

A switch is a multiport, data link layer (Layer 2) device. Much like a bridge, a switch “learns” MAC addresses and stores them in an internal lookup table. Temporary logical paths are constructed between the frame's originator and its intended recipient, and the frames are forwarded along that temporary path. The capability to create and sustain temporary paths with their own dedicated bandwidth is what separates bridges from switches. Bridges use a shared backplane to interconnect LAN segments. Switches use temporary, but dedicated, logical paths to interconnect LAN segments as needed. This architecture results in each port on a switch functioning as a separate media access domain.

Beyond this architectural distinction, switches and bridges are similar enough in their mechanics that switches are frequently described as nothing more than fast bridges. This is a gross oversimplification, of course, that does not adequately describe a switch's many benefits.

Switching can be used to interconnect either hubs or individual devices. These approaches are known as segment switching and port switching, respectively.

Segment Switching

Using a switch to interconnect shared hubs is known as segment switching. This name indicates that each port functions as its own segment. In this scenario, each hub connected to a switched port becomes its own media access domain although that domain must include the switched port.

Figure 3-11 illustrates the media access and MAC broadcast domains of a segment-switched LAN.

As is now somewhat predictable with data link layer segmentation mechanisms, segment switching does not segment the MAC broadcast domain. Segment switching does, however, segment media access domains. The net effect is an increase in the available bandwidth on the LAN, a decrease in the number of devices sharing each segment's bandwidth, yet no compromise in the Layer 2 connectivity (as defined by the MAC broadcast domain). A MAC broadcast would be propagated throughout all the switched segments.

Figure 3-11. Media access and MAC broadcast domains in a segment-switched LAN.

Port Switching

In a port-switched LAN, each port on the switching hub is connected to a single device. The switching port and the device it connects to become their own self-contained media access domain. All devices in the network remain part of the same MAC broadcast domain, however. This is illustrated in Figure 3-12.

Port switching is also sometimes referred to as microsegmentation because it chops a LAN's media access domain into the smallest possible segments. Switching has proven to be so successful at improving LAN performance in both segment and port-level configurations that it has been broadly implemented. Today, it is easy to find a switching hub for virtually every LAN architecture, including both contention-based and token-passing LAN architectures.

Media access and MAC broadcast domains in a port-switched LAN.

Figure 3-12. Media access and MAC broadcast domains in a port-switched LAN.

Switching Contention-Based Networks

In a contention-based protocol, port switching effectively reduces the collision domain to just the switch port and the device that it connects to the network. The single greatest performance constraint in contention-based networks, such as Ethernet networks, is competition for bandwidth. Therefore, it shouldn't be a surprise that segmenting media access domains has always been the preferred means of improving performance in such networks.

Switching builds on this success model and takes it to the extreme with port segmentation. Competition for bandwidth, and the chaos that inevitably ensues on busy networks no longer need to be the performance constraints that they once were. In fact, port switches are frequently designed for full-duplex operation. A separate physical wire path exists for both transmit and receive operations. Therefore, even the competition between a switch port and its attached peripheral is eliminated.

Switching Token-Passing Networks

Port switching can improve token-passing LANs in much the same way it can improve contention-based LANs. The number of devices that pass tokens is reduced to an absolute minimum number of two: the switch port and the device connected to it. The only difference is that these devices pass tokens back and forth, rather than compete with each other for available bandwidth.

IP Switching

The last form of switching is called Layer 3 switching, or Internet Protocol (IP) switching. Layer 3 switches are, essentially, a cross between a LAN switch and a router. Each port on the switch is a separate LAN port, but the forwarding engine actually calculates and stores routes based on IP addresses, not MAC addresses.

Each LAN port functions as a port-switched LAN port. Layer 3 switches available today tend to only support IP or both IP and IPX, to the exclusion of other network layer protocols. Similarly, selection of LAN port technologies is frequently limited to either 10 or 100 Mbps Ethernet.

Segmenting with Routers

It is important to note that, for the most part, segmentation doesn't create two separate LANs. LANs exist only at the first two layers of the OSI reference model: the physical and data link layers. The segmentation devices examined up to this point have been limited to just these first two layers of the OSI reference model. However, there's another way to segment LANs: by using routers.

Routers can be used in two different ways to segment LANs:

  • To emulate a bridged connection between LANs

  • To route between LANs

Bridge Emulation

Routers are designed to be a universal interconnector in both LANs and WANs. To support their flexibility, they are available with interfaces for virtually every standardized LAN architecture and WAN transmission facility imaginable. Therefore, they can be configured with any or all the interfaces that are required to mimic the functionality of all three types of LAN bridges.

Having already seen that all three types of bridges segment media access domains while unifying MAC broadcast domains, it should be sufficient to say that a router can be programmed to function exactly as a bridge. That is to say, a router can isolate the media access domains of two or more LANs while simultaneously bridging their MAC broadcast domains. This is done by configuring the router interfaces for the two LANs. By virtue of connecting to different router interfaces, the media access domains of these LANs are automatically kept isolated from each other. However, the router will forward any MAC broadcasts, or any other MAC-addressed frames, that a bridge would propagate across the segments.


In deference to their bridging capabilities, routers were sometimes called brouters. This term is a shortened form of bridge-router. Because bridging, as a LAN segmentation technique, has matured and declined, the term brouter has disappeared. Today, it is rare to encounter anyone who still uses it.

Using routers to emulate bridges has fallen out of favor for several reasons. First, bridged networks were unable to scale to meet growing demand for network connectivity. Second, the emergence of LAN switching provided networks with a very cost-effective and highly scalable means of scaling upward. Therefore, bridges became superfluous. Finally, routers tend to be more sophisticated and expensive than bridges. Simple economics reveal that a router's resources are better applied to more sophisticated uses. Using routers to interconnect LANs was an invaluable step, however, in the evolution from flat networks to switched networks.

Routing Between Segments

Routers, unlike bridges or switches, have the capability to operate at the first three layers of the OSI reference model—the physical, data link, and network layers. Consequently, they aren't as limited in their segmentation capabilities as bridges and switches are. They can interconnect two or more LANs without consolidating their MAC broadcast domains! In fact, using a router to segment a LAN creates fully separate LANs, each with its own media access and MAC broadcast domains. Figure 3-13 illustrates a router being used to segment a LAN.

Figure 3-13. Routers can segment both media access and MAC broadcast domains.

In Figure 3-13, two Ethernet LANs are interconnected via a router. Each LAN's media access domain now includes the hub port and router port that provide the interconnection. The two LANs' MAC broadcast domains, however, remain fully separate.

Commonality between these LANs is established at the network layer. In other words, a Layer 3 addressing architecture and protocol suite, such as IP, is required for communications between any two devices that reside on different LANs. Given this, a third domain must be considered whenever segmenting a LAN: the network domain. A network domain consists of all the networked devices that can communicate directly using IP (or other Layer 3 protocols) for addressing across a LAN. Implicit in this definition is that IP packets are not routed to other networks, even though they use a routable address format. Routers are unique in their capability to segment network domains.

The Differences Between Bridges, Switches, and Routers

Routers can do several things that data link layer segmentation devices, such as bridges and switches, can't:

  • Routers can look inside the payload of data frames and identify the packets that are enveloped by the frame.

  • Routers strip away the framing and reconstruct the packets contained in the frame's data field.

  • Routers can forward packets (as opposed to just frames).

Another key difference between bridges and routers is that routers do not just identify which port they need to forward the packet or frame to. They were designed for operation in a potentially more complex, and even circuitous, environment: the WAN. In a WAN, there may be multiple paths through the network to get from any point to any point. The router can identify all the potential paths through the network to any given destination address. More significantly, the router can discriminate between the alternatives and select the best path.


< Back Contents Next >

Save to MyCKS


Breaking News

One of the primary architects of OpenCable, Michael Adams, explains the key concepts of this initiative in his book OpenCable Architecture.

Expert Advice

Ralph Droms, Ph.D., author of The DHCP Handbook and chair of the IETF Dynamic Host Configuration Working Group, guides you to his top picks for reliable DHCP-related information.

Just Published

Residential Broadband, Second Edition
by George Abe

Introduces the topics surrounding high-speed networks to the home. It is written for anyone seeking a broad-based familiarity with the issues of residential broadband (RBB) including product developers, engineers, network designers, business people, professionals in legal and regulatory positions, and industry analysts.


From the Brains at InformIT


Contact Us


Copyright, Terms & Conditions


Privacy Policy


© Copyright 2000 InformIT. All rights reserved.