| technology | networking - Ross Heintzkill
What is a VLAN and How They Work
Quick Definition: A virtual local area network (VLAN) is a way of dividing a network so that the number of broadcasts, as well as the level of access users have, is limited. The "virtual" in VLAN refers to the fact that the local area network is physically unchanged, but a layer of logic splits the network into multiple pieces.
An Overview of VLANs [VIDEO]
In this video, Jeremy Cioara covers VLANs. Having the same IP subnet is fine for a small network, but too many broadcasts can slow down the network and even the devices on it. VLANs solve that problem and can enable a “local” network across an entire campus.
How Does a Normal LAN Work?
To understand what a VLAN is, you need to understand how a normal LAN really works. Devices connected to a switch send frequent broadcasts to get IP addresses, to find network resources, and to communicate with one another. With few devices on a network, those broadcasts don't represent a problem. But if the number of devices is high, all those broadcasts can dramatically slow down each device on the network.
When you take a usual switch out of the box and start plugging devices into it, they need to be a part of the same TCP/IP subnet. To start, let's imagine that switch: a six-port switch into which we plug two devices. The first device might be at 10.1.1.50 /24 and the other at 10.1.1.51 /24. The /24 in their IP addresses simply means that anything with 10.1.1. is part of the same network as them.
These two are able to access each other and they're able to access network resources. But when they communicate, they're broadcasting to one another — and any other device on the network. A broadcast is a message that goes to everyone on the network and many network communications are transmitted as broadcasts. And those broadcasts are like highway traffic. There can only be so many cars on one road, and there can only be so many broadcasts on one network.
As the network grows, there are going to be more and more broadcasts. If those two computers become 20, which in turn become 200 — maybe eventually 2000 — computers, the number of broadcasts will also increase dramatically.
Broadcasts are a necessary part of network traffic. They need to happen. Broadcasts are how the computers get IP addresses, how they find network resources, how they communicate with each other. So broadcasts are a natural byproduct of networks, but they slow things down. They slow down the network, and even individual computers plugged into the network.
What are the Security Concerns on a LAN?
One of the benefits of a LAN is how easy it is for users to access network resources and resources on any other device on the network. This can easily be a liability too; there should always be some concern when any network user has full access to every other device. And in that respect, a LAN can be a security risk.
Imagine a less-than-scrupulous user on your network. The nature of a LAN means he can access all the resources of anyone else on the network. That bad user could fully access devices everywhere else, and if they decide to steal all the network data from another user, it's nearly impossible to prevent that from happening, without getting a high-end switch that has some extensive Layer 2 features.
Why are VLANs Better Than LANs?
A VLAN breaks a single network into multiple sections. By logically separating ports and additional switches from one another, a VLAN effectively creates multiple standalone networks out of the same networking backbone. This is more secure, and it reduces the number of broadcasts individual devices receive.
What a VLAN does, and why it's called a "virtual" LAN, is take one switch or one typical network and break it into multiples. Imagine three switches chained together by trunks. Each switch has six ports, and a device plugged into each port. We could imagine two VLANs on that network by assigning every other port to one of our VLANs. Though in reality it could be any combination of ports to VLANs.
And it could even be 20 or 200 different VLANs, all depending on your organization's needs. Maybe your organization has an accounting team and a sales team, and your VLANs are separating those teams.
You want to keep those separate first because of security. You know how those scandalous sales people can be: they'll probably hack into the accounting department to find out what the other sales reps are making. But when you put a VLAN in place, you're effectively breaking each switch into two pieces — making it impossible for users to listen in on one another just because they're on the same physical switch.
If you've seen the 1960s TV show Get Smart, you'll remember how often Maxwell Smart demanded the Cone of Silence. Well, the Cone of Silence was kind of the original VLAN. With one, what the accounting department says among themselves is kept private, and what the sales department says on their network can't be listened to.
A VLAN is an improvement on a LAN because you get a security boundary and broadcast separations.
How Many Switches Can a VLAN Support?
The beauty of VLANs is that they transcend switches. As we've already mentioned, a VLAN can pass between multiple switches, which is done through a trunk port. The limits on the number of switches and VLANs that can be created are complicated, but it would be difficult to exceed the number of switches your VLAN can support.
What happens is this: imagine that the accounting department sends a broadcast. The switch knows what other ports are assigned to the accounting dept, because you went in and configured that. On top of that, the switch looks for what Cisco calls trunk ports and what other vendors call a tagged port.
What happens is that the accounting broadcast goes out that "trunk" or "tagged" port to other, connected switches and the broadcast gets a little tag on the end that tells the next switch what VLAN it belongs to.
VLANs are numbered, they're not named. So, in our example, maybe the accounting VLAN is VLAN 10. So as the message gets forwarded down to a different switch, the broadcast gets tagged for VLAN 10 and each subsequent switch recognizes which VLAN the message belongs with — and handles it accordingly.
Trunks always forward all the traffic and still allow the VLANs to communicate. That means you can have a campus-wide VLAN network in which each separate department is separated logically through these VLANs.
How Does Voice Over IP Get Affected by VLANs?
Voice over IP is a great practical example of how VLANs enhance network operations. VoIP is a huge and growing technology — it's basically plugging a phone into a network.
From a security perspective, that seems like a terrible idea. Because now you have phone conversations going across the network in the clear. There are already tools out there. One is, in fact, very popular: WireShark. WireShark allows you to sniff network packets, take phone conversations, and convert them to .wav files. So all you have to do is just double-click the .wav and hear the phone conversation.
It gets even worse when you find out that the right design for this is to daisy-chain computers from phones to save on a cabling infrastructure. That could potentially mean that an entire organization's phone conversations pass through one network — and that's a lot of data that could interrupt or be interrupted by the other, standard, network traffic.
What you can do with VLANs is completely separate those phones into their own logically separated network. In that place, the computers cannot touch them, and vice versa.
They're completely isolated from everybody, both from a security perspective, people can't get in on WireShark and start tapping phone conversations, but also from a broadcast perspective: all that computer data will never impact the phones themselves and how they're performing.
With the security and efficiency boosts a network sees from implementing them, it's no wonder that virtual local area networks are the hallmark of a serious campus-wide network. Wiring them and configuring their operation usually requires careful attention and significant training. Need a suggestion for training? Try our Cisco CCNA training.