Guide to VLANs: What They are, How They Work, and Why They Matter

Quick Definition: A virtual local area network (VLAN) divides a network to limit the number of broadcasts and users' access levels. The "virtual" in VLAN refers to the fact that the local area network is physically unchanged, but a logic layer splits it into multiple pieces.

What are VLANs? [VIDEO]

In this video, Jeremy Cioara discusses the importance of VLANs. Having the same IP subnet is fine for a small network, but too many broadcasts can slow down the network and even its devices. VLANs solve that problem and can enable a “local” network across an entire campus.

How Does a Normal LAN Work?

To understand what a VLAN is, you need to understand how a normal LAN really works. Devices on a switch frequently send broadcasts to get IP addresses, find network resources, and communicate. With a small number of devices, broadcasts are manageable. However, as the number of devices increases, broadcasts can significantly slow down the network.

When devices are plugged into a standard switch, they must be part of the same TCP/IP subnet. For example, on a six-port switch with two devices, one might have an IP of 10.1.1.50/24 and the other 10.1.1.51/24. The /24 indicates they share the same network.

These devices can communicate and access resources, but their broadcasts reach every device on the network. Like traffic on a highway, too many broadcasts can congest the network.  As the network grows, there are more and more broadcasts. If those two computers become 20, which in turn become 200—maybe eventually 2000—the number of broadcasts also increases dramatically.

Broadcasts are a necessary part of network traffic. They need to happen. However, excessive broadcasts lead to a slow network—which is why VLANs matter. 

What are the Different Types of VLANs? 

A virtual local area network (VLAN) divides a network to limit the number of broadcasts and restrict user access to parts of the network they don't need to access. The "virtual" in VLAN refers to the fact that the local area network is physically unchanged, but a layer of logic splits it into multiple pieces.

There are multiple types of VLAN, and each serves different purposes: 

• Default VLAN: The initial VLAN to which all switch ports are assigned by default. On most switches, this is VLAN 1. 

• Data VLAN: A VLAN designated for user-generated data traffic, isolating it from other types of traffic like voice or management.

• Voice VLAN: A VLAN specifically for carrying voice traffic from IP phones, ensuring higher priority and quality of service (QoS).

• Management VLAN: A VLAN used for network management traffic, such as SNMP, SSH, or Telnet. This provides a secure channel for managing network devices.

• Native VLAN: The VLAN assigned to untagged traffic on a trunk port 802.1Q. It is typically used for backward compatibility with devices that don't support VLAN tagging.

What are the Benefits of VLANs? 

A VLAN breaks a single network into multiple sections by logically separating ports and switches, creating multiple standalone networks from the same backbone. This enhances security and reduces the number of broadcasts individual devices receive.

Imagine three switches chained together, each with six ports and a device plugged into each port. By assigning different ports to different VLANs, you create separate networks. For example, you could have VLANs for the accounting and sales teams, keeping their traffic and communications isolated.

This separation is crucial for security, preventing unauthorized access between departments. If you've seen the 1960s TV show Get Smart, you'll remember how often Maxwell Smart demanded the Cone of Silence. Well, the Cone of Silence was kind of the original VLAN. With one, what the accounting department says among themselves is kept private, and what the sales department says on their network can't be listened in on. 

A VLAN is an improvement on a LAN because you get a security boundary and broadcast separations.

3 Different Methods to Assign VLAN Membership to Network Devices

Assigning VLAN membership to network devices helps separate traffic and increase security. There are three general methods used to decide which VLANs each device should be assigned to: 

• Port-based VLAN assignment: This method assigns VLAN membership based on the physical switch port. Each port is statically assigned to a VLAN, and any device connected to that port becomes part of the assigned VLAN. This is one of the simplest methods to separate network traffic and limit access to sensitive data. 

• MAC address-based VLAN assignment: VLAN membership is determined by the connected device's MAC address. The switch uses a table to map each MAC address to a specific VLAN, allowing dynamic assignment as devices connect to the network. This method reduces the need for manual configuration and provides flexibility for users who change locations frequently. 

• Protocol-based VLAN assignment: VLAN membership is assigned based on network protocol, such as IP or VOIP. This method allows traffic from different protocols to be segregated into different VLANs, helping optimize traffic management and improving security. 

Network administrators may use different methods for different parts of the network depending on the network's needs. For example, users who frequently move around the building due to shared desks may be assigned VLAN membership by MAC address, while VOIP devices use protocol-based VLAN assignment. This tailored approach optimizes network performance and security. 

How Many Switches Can a VLAN Support?

The beauty of VLANs is that they transcend switches. This allows VLANs to function across a network as they are not limited to a single switch.  

Imagine that the accounting department sends a broadcast. The switch knows what other ports are assigned to the accounting department because you configured that. On top of that, the switch looks for what Cisco calls trunk ports and what other vendors call a tagged port.

What happens is that the accounting broadcast goes out that "trunk" or "tagged" port to other connected switches, and the broadcast gets a little tag on the end that tells the next switch what VLAN it belongs to.

VLANs are numbered, they're not named. So, in our example, maybe the accounting VLAN is VLAN 10. So, as the message gets forwarded down to a different switch, the broadcast gets tagged for VLAN 10, and each subsequent switch recognizes which VLAN the message belongs to and handles it accordingly.

Trunks always forward all the traffic and still allow the VLANs to communicate. That means you can have a campus-wide VLAN network in which each separate department is separated logically through these VLANs.

How is Voice Over IP (VOIP) Affected by VLANs?

Voice over IP is a great practical example of how VLANs enhance network operations. VoIP is a huge and growing technology — it's basically plugging a phone into a network.

From a security perspective, that seems like a terrible idea. Because now you have phone conversations going across the network in the clear. There are already tools out there. One is, in fact, very popular: WireShark. WireShark allows you to sniff network packets, take phone conversations, and convert them to .wav files. So all you have to do is just double-click the .wav and hear the phone conversation.

It gets even worse when you find out that the right design for this is to daisy-chain computers from phones to save on cabling infrastructure. That could potentially mean that an entire organization's phone conversations pass through one network—and that's a lot of data that could interrupt or be interrupted by the other, standard network traffic.

With VLANs, you can completely separate those phones into their own logically separated network. In that place, the computers cannot touch them, and vice versa.

They're completely isolated from everybody, both from a security perspective, people can't get in on WireShark and start tapping phone conversations, but also from a broadcast perspective: all that computer data will never impact the phones themselves and how they're performing.

What are the Security Concerns on a VLAN?

VLANs are more secure than LANs because they limit access to specific parts of the network.  Imagine a less-than-scrupulous user on your network. The nature of a LAN means they can access all the resources of anyone else on the network. That bad user could fully access devices everywhere else, and if they decide to steal all the network data from another user, it's nearly impossible to prevent. 

VLANs are inherently more secure because they limit network access; however, there are some security concerns to be aware of. 

• VLAN Hopping: Attackers can exploit switch misconfigurations to send packets to VLANs they shouldn't have access to. This can be done through techniques like double tagging or switch spoofing.

• Inter-VLAN Routing: If not properly secured, routing between VLANs can expose sensitive data to unauthorized users. Access control lists (ACLs) must be used to regulate traffic between VLANs.

• Broadcast Storms: Although VLANs reduce the scope of broadcast traffic, misconfigurations or certain attacks can still lead to broadcast storms that can degrade network performance or lead to denial of service (DoS).

To mitigate these concerns, ensure VLANs are properly configured and regularly monitor network traffic. Implementing additional security measures such as ACLs, secure trunk configurations, VLAN pruning, and encrypted communication protocols can also limit security risks.

Wrapping Up

With the security and efficiency boosts a network sees from implementing them, it's no wonder that virtual local area networks are the hallmark of a serious campus-wide network. Wiring them and configuring their operation usually requires careful attention and significant training. 

Looking to advance your career as a virtualization engineer? Enroll in our VMware VCP-DCV training course today!