Introduction to VLANs
Tamanna Bhatia
Communicating the brand experience with authenticity to deliver a positive customer experience
Virtual LANs (VLANs) allow network administrators to subdivide a physical network into separate logical broadcast domains. A VLAN might comprise a subset of the ports on a single switch or subsets of ports on multiple switches. By default, systems on one VLAN don't see the traffic associated with systems on other VLANs on the same network. On a Layer 2 network, all hosts connected to a switch are members of the same broadcast domain and broadcast domains can only be physically separated across different switches by routers.
Ports on switches can be assigned to one or more VLANs, allowing systems to be divided into logical groups. For example, they can be divided based on which department they are associated with and based on rules to be established about how systems in the separate groups are allowed to communicate with each other. These can range from the simple and practical (computers in one VLAN can see the printer on that VLAN, but computers outside that VLAN cannot), to the complex and legal (e.g., computers in the trading departments cannot interact with computers in the retail banking departments.
As VLANs are a Layer 2 protocol, Layer 3 routing is required to allow communication between VLANs, in the same way, a router would segment and manage traffic between two subnets on different switches. In addition, some Layer 3 switches support routing between VLANs, allowing traffic exchange to occur at the core switches and as a result increasing performance by avoiding sending traffic through the router.
As networks scale, it becomes necessary to introduce multiple broadcast domains in order to segment traffic for performance, security or logistics reasons. Without the use of VLANs, this would typically require each network segment to have its own separate switch infrastructure, with one or more routers managing communication between each switch segment.
Some VLAN functions include:
- Separating network management traffic from end user or serve traffic
- Isolating sensitive infrastructure, services, hosts such as corporate users from guest users
- Prioritizing or implementing Quality of Service (QOS) rules for specific services, such as VoIP Phones
- Providing network services for different clients in an ISP, data center or office building using the same switch and router infrastructure
- Separating groups of hosts logically, irrespective of physical location—for example, allowing human resources employees to share the same network subnet and access the same network resources, regardless of their location within the building