VLAN (Virtual LAN)

What is a VLAN (virtual LAN)?

A logical overlay network known as a virtual LAN (VLAN) is used to isolate traffic for individual groups of devices that share a physical LAN.

VLAN (Virtual LAN)

A Local Area Network (LAN) is a collection of computers or other devices that are located in the same area, such as the same building or campus, and share a common physical network. An Ethernet (Layer 2) broadcast domain, which encompasses the range of network devices that an Ethernet broadcast packet may reach, is often associated with a local area network (LAN).

The same network switch is connected to computers on the LAN either directly or through wireless access points (APs) that are also connected to the switch. Additionally, computers may connect to any one of a group of switches that are interconnected, such as a group of access switches connected to a backbone switch. Even if everything remains in the same building or floor, traffic is not regarded as being on the same LAN after it passes a router and participates in Layer 3 (IP-related) operations. Consequently, a site may have several LANs that are linked.

Similar to the LAN it resides above, a VLAN functions at the Ethernet level, or Layer 2, of the network. By dividing a single switched network into a collection of overlaying virtual networks, VLANs fulfill various functional and security needs. By partitioning, it is not necessary to have separate physical networks for each use case.

The purpose of a VLAN

VLANs are used by network engineers for many purposes, such as the following:

  • In order to enhance performance.
  • To increase security.
  • To make administration easier.
  • Enhance output.
VLAN (Virtual LAN)

VLANs may reduce the amount of traffic that a particular endpoint sees and processes, which can enhance performance for devices on them. By dividing broadcast domains, VLANs lower the total number of hosts that a particular device may receive broadcasts from. For instance, phones won't receive any workstation-generated broadcast traffic if all desktop voice over IP phones are connected to one VLAN and all workstations are connected to another. Each may restrict the network traffic to only what is relevant.

Engineers may define different traffic-handling rules for each VLAN. To assist ensure the functioning of telepresence devices, they might implement rules to prioritize video traffic on a VLAN that links conference room equipment.

Tighten security:

  • Because VLAN partitioning allows for more control over which devices may communicate with one another, it can also increase security. Network teams could, for instance, limit management access to certain VLANs for network equipment or Internet of Things devices.

Facilitate management:

  • Administrators may group devices for non-technical, purely administrative reasons by using VLANs to group endpoints. They may group all computers used for accounting together on one VLAN, all computers used for human resources together on another, and so on.

VLAN types

VLANs may be use-based (often referred to as dynamic) or port-based (sometimes referred to as static).

1. Static or port based VLAN:

By designating ports on a network switch to a VLAN, network engineers may build port based VLANs. Each of the ports is exclusively on one VLAN, and they may only communicate on the designated VLANs. Even while port based VLANs are sometimes referred to as static VLANs, it's crucial to keep in mind that they aren't really static since the VLANs that are assigned to the port may be modified at any moment, either manually or automatically by the network.

VLAN (Virtual LAN)

2. Dynamic or use based VLAN:

By dynamically allocating traffic to a VLAN according to the kind of traffic or the device generating the traffic, network engineers may establish use based VLANs. Based on the network protocols being used or the identification of the device connected (as shown by a security certificate), a port may be allocated to a VLAN. A single port may be connected to many dynamic VLANs. The VLAN allocated to a port may vary depending on what device is connected to it or even how the device is currently being utilized.

Applications of VLANs

Certain VLANs have straightforward objectives, such as separating access for printers. Administrators have the ability to configure them such that computers inside a VLAN may view printers on that VLAN but not those outside of it.

Other VLANs have more intricate uses. Computers in a retail banking department, for instance, are unable to communicate directly with those in the trading divisions. Network engineers may enforce this kind of segmentation by having distinct VLANs set up for each department.

How do VLANs operate?

On network switches, a VLAN can be identified by its VLAN ID. A switch's ports may be allocated one or more VLAN IDs; if none are set, the port will default to the default VLAN. Every VLAN grants data-link connectivity to all hosts linked to switch ports that have been set up with its unique VLAN ID.

VLAN (Virtual LAN)

A 12-bit field in the header data of each Ethernet frame delivered to a certain

VLAN is called a VLAN tag, which is equivalent to a VLAN ID. Up to 4,096 VLANs may be formed per switching domain since a tag consists of 12 bits. IEEE defines VLAN tagging in the 802.1Q standard.

An Ethernet transmission has no VLAN tag when it is received from a host that is connected. The VLAN tag is added by the switch. The switch inserts the tag linked to the VLAN ID of the ingress port in a static VLAN. It puts the tag linked to the ID of that device or the kind of traffic it produces into a dynamic VLAN.

Switches only forward to ports that are connected to the VLAN when forwarding tagged packets to their intended media access control address. Traffic categorized as broadcast, unknown unicast, and multicast is routed to every port inside the VLAN. Trunk connections allow any traffic for any VLAN in use on both sides of the trunk to be accepted and sent forward, and they are aware of which VLANs span the switches. The VLAN tag is eliminated from a frame before it is sent to the target device after it has reached its destination switch port.

Each Layer 2 domain's switches are configured in a loop-free topology using the Spanning Tree Protocol (STP). The usage of a per-VLAN STP instance allows for the use of various Layer 2 topologies. If the topology is the same across many VLANs, a multi-instance STP may also be employed to lower STP overhead.

Disadvantages of VLANs:

VLANs provide better performance, easier administration, more security, and control over broadcast traffic. However, they also have some drawbacks.

VLAN (Virtual LAN)

1. Limit of 4,096 VLANs per switching domain:

In a contemporary data center or cloud architecture, one drawback of VLANs is their 4,096 VLAN per switching domain restriction. Tens or thousands of systems and hundreds or thousands of different tenant organizations may be hosted on a single network segment, and each may need tens or hundreds of VLANs.

Other protocols, such as Generic Network Virtualization Encapsulation, Virtual Extensible LAN, and Network Virtualization utilizing Generic Routing Encapsulation, have been developed to overcome this restriction. They facilitate tunnelling Layer 2 frames inside of Layer 3 packets and bigger tags, which allow additional VLANs to be established.

2. Taking care of spanning tree structures:

Another drawback is that the network may find it challenging to maintain the spanning tree structures required to avoid traffic loops when there are a lot of big VLANs. Removing unnecessary connections from the network is the simplest way to address this. Unfortunately, this exposes the network to a single point of failure in locations where redundant links were eliminated.

3. VLAN detection using APs and wall jacks:

Another issue with VLANs is that it might be difficult to ensure it is easy to identify which VLANs an AP or wall socket is connected to. End users and field service support employees may find it more challenging to connect new devices to the network as a result.

Poor planning makes the entire VLAN design too complex, fragile, and challenging to maintain when demands and underlying network equipment change. This drawback is not exclusive to VLANs but nonetheless impacts them.

How to configure a VLAN on business networks?

Traffic on network cables is divided and given priority using virtual local areas, or VLANs. They design discrete subnets that allow certain devices to function together even when they are not physically connected to the same local area network.

VLANs are used by businesses to divide and control traffic. For instance, a business may designate distinct VLANs for the data traffic coming from the engineering and accounting departments in order to segregate them. Even if two or more apps run on the same server but have distinct needs, they may share a link. An application with less essential performance needs may share a connection with an application that has strict throughput and latency requirements, such as a speech or video application.

Configuring a VLAN

Although setting up a VLAN may be difficult and time-consuming, business networks can benefit greatly from VLANs, including increased security. These are the processes involved in configuring a VLAN.

VLAN (Virtual LAN)

1. Configure the VLAN first:

Every switch that carries the VLAN has to be set up accordingly. Teams must be careful to update switch settings, replace a switch, or add an extra VLAN whenever they make changes to the network setup.

2. Establish lists for access restrictions:

VLANs are subject to ACLs, which control the access permitted to each user connected to a network. In particular, VLAN ACLs (VACLs) regulate access to a VLAN at all points where it crosses a switch and at the points where packets enter and depart the VLAN. Network teams should be very careful while establishing VACLs since the setup process might be challenging. If a mistake happens during the configuration or modification of VACLs, network security may be jeopardized.

3. Use Command-Line Interfaces to access databases:

A set of CLI commands is provided by each OS and switch manufacturer in order to setup and alter VLANs on their goods. Certain administrators create files with these commands in them, which they then alter to change the settings as needed. One or more apps may fail as a result of a single mistake in the command files.

4. Consider managing accounts packages:

Third-party and equipment providers provide management software packages that streamline and automate tasks, decreasing the possibility of mistakes. In the event of a problem, these programs can rapidly reinstall the most recent functional configuration since they often keep a thorough record of every set of configuration parameters.

VLAN identification through tagging

Methods to identify VLANs is defined by the IEEE 802.1Q standard.

Ethernet packets start with the destination and source media access control addresses, and then they include the 32-bit VLAN identification field.

Identification of the tag procedure:

  • The first 16 bits of a VLAN frame include the TPID. The packet is identified as a VLAN packet by the hexadecimal number 8100 seen in the TPID. The EtherType field is present in the packet location of packets that do not include VLAN data.

Information about tag control:

  • The TPID is followed by the 16-bit TCI field. It has three fields: the 12-bit VLAN identification (VID) field, the single-bit drop eligibility indication (DEI), and the 3-bit priority code point (PCP).

The quality of service that the apps using the VLAN expect is specified in the PCP field. These levels are defined as follows by the IEEE 802.1p standard:

  1. A packet with a value of 0 is one that the network is doing its hardest to deliver.
  2. A packet with value 1 is a background packet.
  3. Other packets are identified by values 2 through 6, some of which indicate speech or video packets.
  • Network control packets have the greatest priority, value 7, set aside for them.
  • The single-bit DEI appends additional information to the PCP field and comes after it. In a crowded network, a packet might be dropped thanks to its DEI field.
  • A network may accommodate 4,096 VLANs, and the 12 bits that make up the VID field allow it to identify any of them.

VLANs based on Ethernet

VLANs can be extended to Wi-Fi networks with the assistance of VLAN-aware access points (APs) designed for Ethernet-based setups. These APs utilize the subnet address associated with each VLAN to segment incoming wired traffic effectively. Consequently, only data pertinent to the designated subnet reaches end nodes.

However, enforcing security measures over wireless connections presents challenges compared to wired setups. In certain scenarios, separate guest networks or Service Set Identifiers (SSIDs) with unique passwords are employed to address this concern. Despite these challenges, VLANs were originally conceived to streamline broadcast management and traffic prioritization. As networks have grown in size and complexity, VLANs continue to prove their worth in optimizing network performance and management.






Latest Courses