Definition VLAN (virtual LAN)
A virtual LAN network overlay which groups a subset of devices that share physical LAN, separating traffic for each group.
A LAN is basically a group of devices which are in the same place and share the same physical network. A LAN is associated with Ethernet which is a (Layer 2) broadcast domain a set of network devices Ethernet broadcast packet reaches.
Devices or computers on a LAN, connect to the same network through wire or wirelessly with (Aps). Computers can also connect to interconnected switches such as set of accesses all connect to a single backbone switch. When traffic crosses a router and connects to IP related layer 3 functions then it is not treated as the same LAN, even though devices are on the same building or floor. So, a single location can share different interconnected LANs.
Operating at Layer 2 of the network, the Ethernet level VLAN sits at top like a LAN. To meet the functional and security requirements VLAN partition a single switch network into overlaid virtual networks set. Partitioning helps in avoiding multiple distinct physical networks for different uses.
The purpose of a VLAN
For multiple reasons network engineers are VLANS, here are some of them:
- For Enhancing Performance
- For better security
- For making administration easier
Improve performance
Virtual Local Area Networks, or VLANs, reduce the amount of traffic that each endpoint receives and processes, which can greatly improve device performance. VLANs limit the number of hosts from which any device can receive broadcast messages by segmenting broadcast domains.
For example, if all workstations are in a separate VLAN from all desktop voice-over-IP phones, then the phones will not receive broadcast traffic created by the workstations, and vice versa. Because of this division, every group can dedicate its network resources to relevant traffic.
Furthermore, network engineers can create different traffic control policies for every VLAN. To guarantee the best possible performance for telepresence devices, they can, for instance, give priority to video traffic on a VLAN specifically designated for conference room equipment.
Tighten security
By giving users more control over which devices can communicate with one another, VLAN segmentation improves security. To guarantee that only approved devices can communicate with vital infrastructure, network administrators, for example, can restrict management access to networking hardware or Internet of Things devices to specific VLANs.
Ease administration
Administrators can classify devices for strictly administrative and non-technical purposes by using VLANs to manage endpoints. They could, for instance, put all computers used for accounting on one VLAN, all computers used for human resources on another, and so on.
Types of VLANs
VLANs can be use based called dynamic VLANs or Port based VLANs called static in general.
Port-based or static VLAN
By designating ports on a network switch to VLANs, network engineers can build port-based VLANs. These ports are associated with individual VLANs, and they will only exchange data within the designated VLANs. Even though port-based VLANs are sometimes called static VLANs, it’s vital to understand that they are not completely static; either manually or automatically through network automation, the VLAN assignments for the ports can be changed on the fly.
Use-based or dynamic VLAN
By dynamically allocating traffic to a VLAN according to the kind of traffic or the device generating it, network engineers can create user-based VLANs. A security certificate’s identification of the connected device or the active network protocols can be used to associate a port with a VLAN. It is also possible to associate many dynamic VLANs with a single port. The VLAN assigned to a port may need to be adjusted if the device connected to it changes or if the device that is already attached changes in operation.
What are the advantages of VLAN?
VLAN offers several advantages such as simplified administration, increased performance, greater flexibility, and more.
Saves cost
Switches allow devices or workstations connected to a particular virtual local area network (VLAN) to communicate with one another, eliminating the need for routers to send and receive data from outside the VLAN. Routers’ processing of massive volumes of external data can lead to bottlenecks and security concerns. On the other hand, switches have less features than routers, but they can still effectively manage data flow and exchange information between devices connected to the network. This set up and configuration can help your company save money on router purchases and lower network latency in general.
Offer greater flexibility
When it comes to flexibility, virtual local area networks surpass traditional physical networks. They enable assignments based on port, subnet requirements, and certain protocols, and they are simple to configure and update. Teams can interact and share data more easily because these networks don’t depend on being physically close to other devices or connections like wires and cables.
Simplified administration and enhanced security
Virtual LANs don’t need a lot of administrative control. These networks make it simple to add, remove, alter, and update permission rights and access controls. You can improve security by dividing systems and devices into various LAN segments if you need to allow access to a particular set of users. Virtual LANs do not require reconfiguration if devices, systems, or user groups connected to a specific network are relocated. This strategy saves money, time, and resources for your company.
VLAN use cases
Certain VLANs have simple, useful goals, such controlling printer access. These VLANs can be set up by administrators so that computers connected to the same VLAN can access printers on the same VLAN but cannot access printers outside of it.
More intricate purposes are served by other VLANs. For example, computers in a trading department cannot communicate directly with computers in a retail banking department. One way network engineers enforce this segregation is by creating distinct VLANs for each of these departments.
How VLANs work
On network switches, a VLAN is identified by its VLAN ID. A switch’s ports can be given one or more VLAN IDs; if none are allocated, the port will default to a certain VLAN. Every VLAN grants data connection access to all hosts linked to switch ports that have been set up with its unique VLAN ID.
Every Ethernet packet transmitted to a VLAN has a 12-bit field called a VLAN tag included in its header, which is created by converting the VLAN ID. Within a single switching domain, up to 4,096 VLANs can be established due to the 12-bit tag length. IEEE 802.1Q specifies how VLAN tagging is done.
The switch appends the correct VLAN tag to an Ethernet frame it receives from a connected host that does not have one. When a VLAN is static, the switch inserts the tag linked to the VLAN ID of the incoming port. The tag is added to a dynamic VLAN according to the ID of the device or the kind of traffic it produces.
Tagged frames are forwarded by switches to the media access control (MAC) address of their destination, but only to ports connected to the corresponding VLAN. All ports in the VLAN receive broadcast, unknown unicast, and multicast traffic. Trunk links between switches accept and transmit all traffic for any VLAN that is in operation on either side of the trunk and are aware of the VLANs that span across them. Before a frame is sent to the appropriate device, the VLAN tag is removed when it reaches its destination switch port.
The switches inside each Layer 2 domain are configured in a loop-free topology using the Spanning Tree Protocol (STP). Different Layer 2 topologies are possible with the implementation of a per-VLAN STP instance. Additionally, when the topology is the same across several VLANs, a multi-instance STP can be used to reduce STP overhead.