Virtual Local Area Network (VLAN)
Chidiadi Anyanwu
OCI Certified Architect Associate | AZ-900 | HCIA-Datacom | Student at University of Port Harcourt | Polymath
The concept of VLANs can be explained from two viewpoints; the viewpoint of scaling and that of isolation. I’ll explain. Imagine you have a company, and in that company, there are only a five of you. You decide to create a Local Area Network (LAN) for effective communication between devices.
Over time, the business booms and you have to hire more employees. You now have close to a thousand employees. At some point, with just one LAN, things are going to get messy. The devices are going to create broadcast traffic so now you have hundreds of devices sending broadcasts through out the network, and every other device using up CPU resources trying to decide which ones to accept and which ones to discard. You would have a lot of bandwidth wasted on nothing, and at some point, the network might crash. That’s scale.
Now, Imagine a company with three departments—the Admin, Finance and Operations departments. All of them are connected to the company network, but you don’t want the operational staff to have access to the Admin network. You don’t also want them accessing the Finance network. You need to isolate them in some way.
?Your first option would be to just create different LANs for the different departments so that instead of having one huge Layer 2 (L2) broadcast domain, they now have little segmented L2 networks. Remember I said before that broadcast domains are like rooms. If there’s Bobby, Lillian and Joe in a room and I want to call Bobby, I can just go to the room and shout his name. He’ll hear me and others would discard the call because it’s not for them. Isolated L2 networks cannot communicate with each other, so we’d need to bridge them with L3 devices. So, we add routers to route between the LANs.
?It’s just like saying you’re no longer in the same room with me so you cannot talk to me in-person anymore. For you to communicate with me now, it has to be over the intercom. The problem with that method is that it will require a lot more devices because you’d need one switch for one LAN. You’d also need a router if there should be any intercommunication at all. That’s all more expenditure.
?The second solution is Virtual Local Area Networks (VLANs). With Local Area Networks, if you had to create multiple LANs, the devices had to be in the same physical location. The same room, the same floor or the same office block. Then you connect them to a router that is connected to the LAN in another physical location. You cannot have more than one LAN on one switch.
?VLANs, however, allow you to create multiple logical LANs on one physical device, and assign any port to anyone you wish. So, if you had office blocks A, B and C with one switch to each block, you can assign some devices from block A and some devices from block C to the Admin VLAN and assign some devices from blocks B and C to the Finance VLAN. That’s not possible in traditional LAN networks.
The isolation VLANs provide also help security because in the case of deploying Wi-Fi, VLANs are used to create separate virtual networks so that guests can be isolated from others on the same Wireless Access Point (AP). That prevents attackers from attacking the networks from the public-facing Wi-Fi. Without VLANs, that would require getting more than one APs and connecting them to different LANs.
Assigning VLANs
VLANs are assigned on a switch, and there are different ways of assigning VLANs. There is:?
?Interface-based assignment is where you enter an interface on a switch and assign that interface to a VLAN. Any traffic entering the switch from that port will then be tagged with the VLAN ID of the VLAN you assigned it to. That means any device connected to that interface is automatically in that VLAN.
?MAC Address-based assignment is where you assign a device’s MAC Address to a VLAN. Immediately the switch sees that a frame is coming from that device, it assigns it to that VLAN.
With IP subnet-based assignment, you assign a subnet to a VLAN, so any traffic coming from that subnet automatically gets tagged with the VLAN ID of the VLAN you assigned it to.
领英推荐
You can also map protocol types to VLAN IDs so that the switch tags the frame when it sees that protocol type in the frame header.?
Policy-based assignment means you can create a policy of multiple parameters, like a combination of the above. Whenever a frame matches the policy, the switch tags the frame.
IEEE 802.1Q Tagging (Dot 1 Q Tagging)
?In case you don’t fully understand, an interface is a port on an end device (like a computer, printer or IP camera) or a network device (like a switch, router or firewall) that helps it connect to a network. In reality, an interface is more than just a port, because it includes the logical representation of the port. Configurations can be done on an interface. It’s just like you are a human being. If we want to describe you as a person, we can describe your body; but in reality, you are more than just big nostrils on a head with trunk and limbs. You have a logical representation of you. You person, your beliefs, your attitude, your flaws. When a person changes, it’s that logical representation of the person that changes.
?When frames pass through switches, the switch uses VLAN tags to identify the VLAN they belong to. It’s like saying that postal services use stamps to identify the country where a letter is coming from.
With VLANs, there are three types of interfaces—access, trunk and hybrid ports.
An access port is a port on the switch where an end device is connected to. It is meant for devices to access the network. The interface is usually assigned to a VLAN, and has something called a Port VLAN ID (PVID). Access ports add tags to untagged frames coming from end devices. They can be assigned to only one VLAN.
A trunk port is a port that allows untagged frames and frames tagged with VLAN IDs that it has been configured to allow. It is like a highway. It’s purpose is to connect between different switches so they can all act like one giant switch running VLAN or so that traffic can be passed to a router to allow Layer 3 communication between the VLANs.
A hybrid port tags untagged frames (like an access port) and also allows frames from other VLANs it has been configured to (like a trunk port).
When an untagged frame passes through an access port, the port tags the frame with a VLAN ID corresponding to its Port VLAN ID. That frame will then be only be able to pass through trunk ports that allow its VLAN ID or access ports that are in the same VLAN.
The Institute for Electrical & Electronics Engineers (IEEE) is the body that developed that IEEE 802.1Q standard which supports VLAN deployment on an Ethernet network. Some vendors, however, have proprietary protocols for VLAN, and they are slightly different from the IEEE802.1Q protocol or the Dot1q protocol as it is sometimes referred to.?
Like this article if it was helpful or informative. Leave a comment and subscribe to this newsletter to receive more articles like this.
Also, join the Specific Knowledge Telegram group. Let's build a community of network engineers.