What is VLAN (Virtual Local Area Network)?

VLAN (Virtual LAN) by IEEE stands for Virtual Local Area Network. It works on the 2nd layer of OSI. Using this technology, network users and resources on a local area network (LAN) are logically grouped and assigned to ports. These logical networks are split broadcast domains. After configuration, since each Virtual LAN receives only its own broadcast, broadcast traffic is reduced and bandwidth is increased. When it is desired to create a different VLAN on the LAN, the empty ports of the switch used can be used. This saves network investment.

Segmenting the network using Virtual LAN enables us to manage users more easily, to configure and implement access permissions more easily, and to identify and resolve potential network problems.

Including a guest user in the system network may not be safe for security. For this reason, it will be safer to take the guest user to the internet environment via a bent network isolated from the system. This is by dividing the network, that is, by configuring the VLAN. In a network, users in VLAN can only communicate with each other, they cannot communicate with users in a different VLAN.

It is done by logically grouping network users and resources on a local area network (LAN) and assigning them to ports on the switch. Since each VLAN will only receive its own broadcast, the bandwidth is increased by reducing broadcast traffic. Virtual LAN definitions can be defined according to location, department, people or even the application or protocol used.

First of all, let’s talk about a few benefits of configuring it on the network you work with.

  • Reduces the traffic by minimizing the mess caused by broadcast messages in the local network.
  • To obtain a more manageable network by assigning at least one VLAN to each unit on the local network.
  • To secure the network by determining the communication (ip-routing) between VLAN blocks.
  • To provide the transmission of many VLAN-networks on the fiberoptic or UTP uplink lines with the Trunk method.

These are the first pluses that come to mind about the benefits of VLAN. While taking precautions with firewalls against possible attacks and attacks from outside, VLAN configuration and authorization will be the first priority for internal threats.

By applying Virtual LANs on the network, many problems caused by 2nd level switching are eliminated. We can basically collect them under 3 headings.

Broadcast Control

Broadcast is produced by every protocol. However, its density varies depending on the protocol, application and how the service is used. In level 2 switching devices that are used flat, the incoming broadcast packet is sent to each port regardless of whether the end users can receive it. The high number of devices on the network causes the broadcast to increase exponentially and send these packets to every device on the network.

A well-designed network should be segmented according to criteria. The most convenient way to do this is through switching and routing. This prevents broadcast traffic between VLANs.


Another disadvantage of a flat network without a VLAN is security. On a network that does not use a switch (via distribution coax cable or hub), the data flow between the two computers is transmitted to all devices connected to the network (collision). This causes traffic problems and is quite unsafe due to software and even hardware that listens to all packets passing on the network and decodes the data part. When a switch is used as a distribution device, this port can be prevented by separating each port into its own collision segment. However, the fact that broadcast is sent to all ports in the switch topology used flat means that all devices on the network receive each other’s broadcast traffic.

A second point is that access to other groups of users on the network that will not have a network relationship with others is provided and broadcast packages are sent. When the network devices on the switch are divided into VLANs, such vulnerabilities will be eliminated. In this way, a user will not be able to connect to any end on the network and listen to the entire network and gain information. However, it will be able to operate on the VLAN it will be connected to.


Broadcast groups were actually created on a network created by creating VLANs. Regardless of its physical location on the switches, you have the flexibility to assign a user to the VLAN you want. Likewise, a growing VLAN over time can be transferred to newly created VLANs. This is possible with a new port definition on the switch.

When the same operation is attempted without using Virtual LAN support, the connection to the central router should be physically provided for the new subnet to be created.

A router or another layer 3 devices is required for routing between VLANs. One end must come from the switch to the router for each VLAN used on the switch.

Relationships Between VLANs

There are two types of VLANs.

1. Static VLANs: They are defined by the network administrator and assigned on switch ports. Unless the port of the switch is changed by the administrator again, it belongs to the Virtual LAN. This method simplifies network management and monitoring. In other words, interfaces of uplink ports in SVLAN configuration are tagged to the desired IDs (Tagged). In the interfaces of other user ports, the label for the VLAN that it will be a member of is removed (Untagged). Therefore, the user using that port will be able to exit only that block of IP, whichever tag is removed from the system administrator.

Finally, all switches, modems, firewalls, routing and monitoring servers in our network must be members of the VLAN-100, which is the “Network Management VLAN”. It will use this VLAN-100 network when communicating among themselves.

2. Dynamic VLANs (DVLAN): It recognizes the DVLAN of the device connected to the switch port in the DVLAN and automatically assigns that port to the DVLAN it recognizes. DVLAN identification can be made on the basis of hardware address (MAC), protocol or even application with network management programs. For example; Suppose MAC addresses are entered into a central VLAN management application. When a device is connected to a switch on the network to a port that does not have a VLAN assigned, the MAC address is asked to the VLAN management database and the received VLAN value is assigned to that port of the switch.

If the user changes or the device connected to the terminal changes, the new VLAN value is requested and assigned to the port. In this case, after the database is carefully prepared, the management and configuration work of the network administrator is reduced. It provides the map database service for VMPS MAC addresses for DVLAN use on Cisco devices. In other words, in DVLAN configuration, the uplink ports on the switch are tagged as in the static configuration.

However, all of the user ports are members of the Virtual LAN of the guest network. With the combination of switch-firewall or switch-DHCP server, thanks to the user mac address, the user is automatically registered to that VLAN. The authorization process is performed between the switch and the DHCP server and the ID of the user computer is sent to the switch and the switch makes this port a member of the VLAN that DHCP requests. This process can be either Computer-defined or user-defined. This is also possible thanks to the switch-DHCP server-active directory server trilogy. If your company has public computers and you want to authorize them according to the users, you can solve it in this way. Thus, VLAN-10 will be automatically authorized in the network if the accountant opens computer A, VLAN-40 if the engineer opens, or VLAN-200 if our guest opens.

VLAN Definitions

VLANs are distributed among connected switches. The package received by the switch is sent to the ports assigned to the VLAN to which it belongs by the method called “frame tagging”. A switch is a group of switches that carry the same information. There are two types of connections in these devices.

Access links; is a connection that belongs only to a VLAN. The device connected to an access link operates on the assumption that it is connected to a broadcast group regardless of the relationships between VLANs and the physical networks. Switches remove the header on the package before sending it to the device connected with the access link. The packets sent by the devices on the access link cannot talk to devices other than their VLANs unless directed by a router or another 3rd layer device.

Trunk links; can carry multiple VLANs on it. It can be made from the Trunk link switch to another switch, a router or a server. It has support only on Fast or Gigabit Ethernet. Cisco switches use two different methods to recognize VLANs on a trunk connection: ISL and IEEE802.1q. Trunk connections are used to move VLANs between devices and can be formatted to carry all or part of the VLANs.

In the frame tagging method, the switch from which the package comes from recognizes the VLAN ID (VLAN number) of the package and finds out what should be done from the filter table to the package. The VLAN header on the packet leaves the packet before leaving the trunk link. If there is another trunk connection on the switch from which the pack came, the packet is sent directly through this port. The last device that the packet will reach cannot access the VLAN information on the packet.

VLAN Identification Methods

Inter-Switch Link (ISL): It is used by Cisco switches and can only work on Fast or Gigabit Ethernet. This method is called “external tagging”, which does not change the original size of the package, but adds a 26 byte ISL header to the package, allowing VLAN recognition between devices. It also adds a 4-byte length FCS (frame check sequence) field that controls the pack to the end of the packet. The package can only be recognized by devices that recognize ISL after these plugins. The size of the pack can reach up to 1522 bytes so that the maximum length in the ethernet network is 1518 bytes. When the package that is enveloped with ISL information, the access link type is going to be connected, it is separated from all its plugins and returns to its original form.

IEEE 802.1q: This standard method developed by IEEE is used to carry multiple VLANs between different brands of switches or routers over a connection. A suitable header is placed on the incoming packet according to the defined standard and the VLAN of the packet is recognized among the devices.

LAN Emulation (LANE): It is used to carry multiple VLANs over a connection in the ATM network.

IEEE 802.10 (FDDI): It is used to carry multiple VLANs over a connection in the FDDI network. It adds a VLAN identification header called SAID to the package.

Routing Procedures Between VLANs

Devices connected to a VLAN can talk freely among themselves and send their broadcasts. VLANs divide the network and separate the traffic. A 3rd layer device is required for devices to talk between VLANs.

In this case, there are two options:

1. A connection is added for each VLAN on a router and the necessary configurations are made on the router and communication between the VLANs is provided.

2. Connection to switch fabric is made on a router that can define VLAN on ISL (or trunk connection), communication between VLANs is provided after necessary configurations.

If the number of VLANs to be defined on the network is small, a router with a number of VLAN outputs is provided by choosing the first option.

However, if the number of VLANs is high and the network is open to expansion, the second option should be preferred. Cisco routers provide ISL support in 2600 and later models. In this case, ISL service is run on a connection of the router (preferably the one with the highest bandwidth) or routing is provided by providing a “route switch module (RSM)” on the router. RSM provides 1005 VLAN support and packet processing is less time since it works on the router’s backplane. VLAN routing is called “router-on-a-stick” by running ISL on the router’s Fast or Gigabit Ethernet connection.

VLAN Trunk Protocol (VTP)

Cisco created the VLAN Trunk Protocol (VTP) protocol for VLAN management of connected switches on the network. It enables the VTP network administrator to perform operations such as changing, adding, deleting names on VLANs and notifies new information to all switches on the network. VIP; With multi-switch networks, central management eliminates errors such as lack of configuration and inaccuracy. It enables the establishment of VLAN trunk connections between different networks. For example, Ethernet shares the VLAN definitions between ATM (LANE), FDDI. It allows VLAN monitoring and monitoring without errors. It reports dynamically added VLANs to all switches.

In order to manage VTP on the network, a VTP server must serve the network. All servers and switches to which the information is to be shared must be formatted into the same VTP domain group. Switches broadcast VTP domain information, configuration renewal number and all known VLANs with their parameters. Switches can be set to send VTP information via trunk port, but not receive it and not update the VTP database (transparent mode).

Switches listen to upcoming VTP information, get the definition of new VLAN, and wait for new information about this VLAN from trunk ports. The VTP information that can come from can be ID, IEEE 801.10, SAID or LANE. Updates are provided by increasing the configuration renewal number. When the switch receives a higher configuration renewal number from it, the switch knows that a newer configuration has arrived and saves the new incoming information on the old database.

There are three types of VTP operating modes: Server, Client, Transparent.

Server; It comes preinstalled on the Cisco Catalyst series switches. At least one VTP server is required for adding, removing, and configuring VLANs for each VTP domain. Any changes made on a switch running in server mode are announced to that VTP domain. Its configuration is stored on NVRAM (Non-Volatile RAM – Nonvolatile memory).

Client; These are switches that receive information from VTP servers, receive and send update information, but cannot make any changes. Its configuration is not stored on NVRAM (Non-Volatile RAM – Nonvolatile memory), it is temporary.

transparent; These are the switches that send the incoming VTP information exactly through the trunk ports without joining the VTP domain group. They do not forward any changes that can be made to the VTP database on them through trunk ports. Its configuration is stored on NVRAM (Non-Volatile RAM – Nonvolatile memory).


It is changing the VTP configuration to reduce broadcast, multicast, and other unicast packets in order to save bandwidth. VTP pruning service sends the incoming broadcast to trunk ports that need to receive that information, not to others. For example; VLAN 5 broadcast, which comes to a switch that does not have any port of VLAN 5, is not sent over any port of the switch. It comes off in VTP pruning switches. In order to activate VTP pruning, it must be activated on all VTP domains. VLAN 2-1005 is pruning configurable VLAN numbers. Since VLAN 1 is a management VLAN, it can never be pruned.

Related Posts

What is Packet Tracer?
What is CCIE?
Cisco Boot Process
Spanning Tree
What is ARP?