The Virtual Local Area Network, or VLAN, is a networking technology that allows physically dispersed devices, even in different places. This technology provides better performance and management flexibility in large-scale networks.
In a traditional LAN, all devices are located in the same network segment and have the same IP address range. However, different departments or user groups may require different network settings.
If this is the case, we can divide our network into separate segments, but for nodes in these isolated networks to talk to one another, we’ll need to deploy routers. VLAN technology solves this problem by creating different logical groups within the network segment.
A VLAN provides logical grouping across multiple network segments. Each VLAN can have a different ID. These identities are defined using tables specific to each VLAN when routing traffic on the network. These VLAN-specific tables only route traffic with IDs to the appropriate VLANs.
VLANs divide devices into logical groups without considering network segments or physical connections. It provides network administrators with flexibility, such as limiting traffic for a specific user group with a certain bandwidth or restricting access of devices in a VLAN to particular resources. They can also improve network performance by dividing traffic into segments and facilitating network management.
History of VLAN
As Ethernet gained popularity in the late 1980s, administrators looked for better ways to control increasingly complex networks, prompting the development of virtual local area networks.
In traditional network designs, all devices are located in the same network segment and have the same IP address range. However, different departments or user groups may require different network settings.
Routers are necessary because they allow devices on different network portions to talk to one another. Using routers makes the network more complex and challenging to manage.
The Virtual Local Area Network technology, defined by the IEEE 802.1Q standard, solves this issue by segmenting Ethernet traffic into VLANs with a 4-byte ID. With this number, we can tell which Virtual Local Area Network a given device is a part of. Utilizing VLAN-specific databases during network traffic routing defines the Identifiers.
Cisco Systems introduced VLAN technology in the 1990s, which is considered an essential innovation for administering large networks. They improved segment traffic in the network performance while simplifying network management.
In the following years, VLAN technology continued to evolve. In particular, the IEEE 802.1ad standard (also known as Q-in-Q) further developed the technology. The feature of this standard was to further scale the network by dividing the traffic within a VLAN into more VLANs.
VLAN technology is now extensively utilized in the network industry. This technology provides flexibility, such as limiting the traffic and access of certain groups in the network.
How Does VLAN Work?
Examining the history of VLANs, the process of creating VLANs, and how VLANs function is crucial to grasping the inner workings of this technology.
Network administrators start the process of creating VLANs by choosing what kinds of devices should use the same network segments. Once they have identified these devices, they divide the network into sections and assign a VLAN number to each team. As a result, each VLAN operates like a separate network on its own.
The network administrator places devices they want to create VLANs for into the same VLAN by adding tags to the ports of those devices. These tags indicate which VLAN the devices belong to in the network. Network protocols allow devices to recognize VLAN tags, limiting communication to devices inside the same VLAN.
VLANs operate at layer 2 of the physical network; each VLAN can be considered a separate network segment. It allows network administrators to direct other network traffic in different ways.
For example, a network administrator could create a separate VLAN for a company’s finance department. Network protocols that permit communication between devices recognize VLAN tags, and communication between devices occurs only among those in the same VLAN. It protects sensitive financial data from other departments’ devices.
Network administrators limit virtual LANs and configure tagging correctly to ensure the effective operation of VLANs. When virtual networks are considered separate network segments, each group should have its IP address range and network mask.
Due to the tagging and use of separate IP address ranges, direct communication between devices in different virtual LANs is impossible. Routers let devices in different VLANs talk to each other and send traffic where it needs to go.
What are the Types and Features of Virtual LANs?
VLANs can be of different types to help network administrators enhance network security, improve performance, and facilitate management.
- Port VLANs
It allows network administrators to limit access to a specific group of devices by assigning a physical port to a VLAN. It enables them to separate devices based on physical ports and identify devices with access to a VLAN, helping network administrators improve network security and manage network traffic more effectively.
- Protocol-based VLANs
It separates traffic based on a specific protocol type and creates a separate VLAN for each protocol. This configuration type allows network administrators to permit the use of different protocols on the network and better manage traffic.
- MAC-based VLANs
Network administrators can restrict VLAN access based on a device’s MAC address. This configuration type enables network security and ensures that specific devices operate in VLANs.
- Dynamic VLANs
Automatically assign a VLAN based on the type of physical port a user connects. This type allows network administrators to reconfigure the network quickly.
- Voice VLANs
It provides a separate VLAN for IP phones in the network. It directs voice traffic to a different section and improves voice quality on the web.
- Management VLANs
It allows network administrators to assign a separate VLAN to management devices. It enables them to isolate management traffic in a separate section, making network management operations more secure.
What are the versions of VLAN?
Since its inception in the 1990s, VLAN has developed various implementations.
- Version 1 (IEEE 802.1Q)
The first version of Virtual Local Area Network technology, IEEE 802.1Q, was released in 1998. This version defines VLAN Tagging, a method to add tags to VLANs. This version offers a network structure where a single administrator manages all network traffic.
- Version 2 (IEEE 802.1Qay)
IEEE 802.1Qay is a solution that provides higher bandwidth and better scalability. This version supports sophisticated capabilities like Multiple Spanning Tree Protocol (MSTP) and Provider Backbone Bridges (PBB). 2009 saw the launch of IEEE 802.1Qay.
- Version 3 (IEEE 802.1Qbp)
IEEE 802.1Qbp was released in 2012 and supported the PBB-TE (Provider Backbone Bridging – Traffic Engineering) feature. This feature allows network administrators to direct and optimize network traffic.
- Version 4 (IEEE 802.1Qbv)
IEEE 802.1Qbv was released in 2015 and is a solution that enables better management of time-sensitive traffic (e.g., voice and video). This version supports integration with Time-Sensitive Networking (TSN) protocols.
- Version 5 (IEEE 802.1Qbu)
IEEE 802.1Qbu was released in 2016 and is a solution that enables faster traffic transportation. This version supports the Ethernet Frame Fragmentation and Reassembly (EFR) feature.
- Version 6 (IEEE 802.1Qbz)
IEEE 802.1Qbz was released in 2016 and offered an easier way to manage virtual LAN segments. This version supports the VLAN Mapping feature.
Applications of Virtual LANs
Virtual local area networks (VLANs) have many uses and are available in various places. Here are some common areas of use of VLANs:
- Businesses: By creating separate networks for different departments within the network, VLANs make network management more effective. Additionally, this increases the security of sensitive data within businesses. For example, you can create a separate VLAN for the finance department, and only employees can access that VLAN.
- Schools: VLANs can ensure students are in different networks based on their classes or departments. It can help control students’ internet usage and secure the school network.
- Hospitals: By creating separate networks for different hospital departments, VLANs can ensure the security of medical devices and other systems. For instance, the operating room and intensive care unit might have a virtual local area network (VLAN).
- Airports: Airports include many devices and systems that cover large areas. VLANs allow different techniques, such as flight information systems, security systems, and air traffic control systems, to be in separate networks. It can prevent possible conflicts between systems and make the web more secure.
- Convention Centers: Convention centers are used for various events and may require different network needs for each event. VLANs can make network management more effective by creating separate networks for other events. A dedicated conference room, accessible exclusively to registered guests, is only one example.
Basic VLAN Commands
The CLI (Command Line Interface) commands used for basic Virtual Local Area Network operations are as follows:
1) Creating a VLAN:
2) Adding a port to a VLAN:
3) Removing a port from a VLAN:
4) Displaying VLAN information:
5) Creating a trunk port to enable communication between VLANs:
6) Adding an IP address to a VLAN:
7) Removing an IP address from a VLAN:
8) Blocking communication between VLANs:
How to Configure VLAN Using CLI?
Configuring VLANs is crucial for network administrators. A proper VLAN configuration helps improve network performance and makes management easier.
When configuring VLANs on Cisco devices, there are some critical points to remember. For instance, it’s important to label and assign VLANs and ports correctly. Additionally, unique numbers should be set to VLANs to avoid conflicts.
1) Create VLAN10 and VLAN20 on the switch:
2) Set up ports to access VLANs on the Switch. For example, you can assign Switch ports 1 and 2 to VLAN10 and VLAN20, respectively:
3) For the router to manage two different VLANs, you must create sub-interfaces. For example, subinterface 0/0.10 could represent VLAN10, subinterface 0/0.20 VLAN20:
4) You must set up a trunk connection to manage the traffic between the Router and Switch. For example, you can connect the router’s gigabitethernet 0/0 interface to the Switch’s gigabitethernet 0/1 port:
With these steps, we have completed the necessary configurations to enable communication between VLANs. So, devices in each VLAN can connect to their subnets, and communication between VLANs is possible.
Lastly, the following commands can test the adjusted settings:
These commands display various network features such as VLANs, port configurations, trunk connections, and subinterfaces. Another option is to use the
show ip interface brief command to check the IP address assignment.
Network security is paramount, and there are many things to consider when setting up a network. These factors include proper design, traffic monitoring, defining privileges, access control lists, and specific security settings.
Proper configuration involves assigning each user on the network to a separate group and limiting their access to other groups. It increases network security and prevents information sharing between different user groups.
Traffic monitoring is essential for network security. It involves monitoring network traffic to identify potential security threats. It is crucial when there are multiple VLANs on the network, as it can be more difficult for network administrators to monitor and control traffic.
Defining privileges is necessary to determine the allowed benefits. It enables each group’s access rights and permissions to be selected, providing different access levels to other user groups. It ensures that each user only has access to the information they require.
VLAN access control lists (ACLs) are another tool for controlling VLAN access. ACLs allow administrators to limit group access and control user access rights. It increases network security by preventing unwanted users from accessing the network.
LAN-specific security settings allow for specific security settings for certain VLANs. These settings include certain access rights for users, monitoring port status, monitoring user activity, and blocking user access to particular applications.
Advantages of Using VLANs
Here are the most critical advantages of VLANs:
- Security: They can logically separate devices connected to the network, increasing network security by limiting an attacker’s access to other devices if they gain access to one device.
- Flexibility: This allows the network to be logically segmented, assigning users to different segments based on their needs. For example, a business can create VLANs for management, employees, and guests.
- Performance: They allow network traffic to be divided and split into smaller broadcast domains, which increases network performance by reducing the impact of heavy traffic in one group on other groups.
- Management: They simplify network management by facilitating the placement of devices in the network. They also allow administrators to manage each area independently.
- Cost: They enable more efficient use of network hardware. For example, a business can run multiple VLANs on the same network hardware without purchasing separate hardware.
- Future-proofing: They provide flexibility to anticipate and reorganize the network for future needs. In other words, they can adapt to the ever-changing nature of a network.
- Reliability: They increase network reliability by minimizing the number of affected devices in case of network failures. They can isolate failed network equipment.