VLANs are everywhere. You can find them in nearly any organization with a properly configured network. In case it wasn’t obvious, VLAN stands for, “Virtual Local Area Network,” and they’re ubiquitous in any modern network beyond the size of a tiny home WiFi setup.
There are a few different protocols, many of which are vendor-specific, but at its core, every VLAN does much the same thing and has the same advantages for larger scale networks.
Those advantages are a big part of why VLANs are so heavily relied on by professional networks of all sizes. In fact, it would be difficult to manage or scale networks without them.
What Is A VLAN?
Okay, so you know what VLAN stands for, but what exactly are they? The basic concept should be familiar to anyone who has worked with or used virtual machines.
Think for a second how virtual machines work. Multiple virtual computers reside within one physical piece of hardware that’s running an operating system and hypervisor which allow the virtual computers to run.
Virtual LANs work in exactly the same way. One or more managed switches run software that allows them to create multiple virtual switches within themselves.
Each virtual switch is its own self-contained network. The main difference between virtual computers and virtual LANs is that virtual LANs can be distributed across multiple physical pieces of hardware with a designated cable called a trunk.
Picture that you’re running the network of a small business. The business just grew, adding employees and dividing into three separate departments. You just upgraded to a new 24-port switch to accommodate new devices on the network.
You could choose to run cable to the devices that you just added and forget about it, but the file storage and services being used by the departments need to be kept separate. VLANs are the best way to do that.
Within the web interface of the switch, you can configure three separate VLANs, one for each department. The simplest way to divide them is by port numbers. Ports 1-8 go to the first department. You then give ports 9-16 to the second department. You then assign ports 17-24 to the last department.
The software on the switch can manage the traffic between the clients in each VLAN. Every VLAN acts as its own network and can’t interact directly with the other VLANs. Now, each department has its own smaller, less cluttered, and more efficient network, and you can manage them all through the same piece of hardware.
When you need the departments to be able to interact, you can make them do so through the router on the network. The router can regulate and control traffic between the VLANs and enforce stronger security rules.
VLAN vs. Subnet
VLANs and subnets are actually quite similar and serve similar functions. Both subnets and VLANs divide up networks and broadcast domains. In both cases, interactions between subdivisions can only occur through a router.
The differences between them come in the form of their implementation and how they alter network structure.
Subnets exist at Layer 3 of the OSI Model. They are a network level construct and are handled with routers. As a result, subnets are based around IP addresses.
Routers carve out ranges of IP addresses and negotiate the connections between them. This places all of the stress of network management on the router.
VLANs find their home on Layer 2 of the OSI Model. The data link level is closer to the hardware and less abstract. Virtual LANs emulate hardware, since they act like individual switches.
However, virtual LANs are able to break up broadcast domains without needing to connect back to a router. Because VLANs are their own virtual networks, they have to behave somewhat like they have a built-in router. As a result, VLANs contain at least one subnet, and can support multiple subnets.
VLANs distribute network load. Multiple switches can handle traffic within VLANs without getting any routers involved.
Advantages Of VLANs
By now, you’ve already seen a couple of the advantages that VLANs bring to the table. Just by the virtue of what they do, VLANs have a number of valuable attributes.
VLANs help with security. Compartmentalizing traffic limits any opportunity for unauthorized access to parts of a network. It also helps to stop the spread of malicious software, should any find its way onto the network. Potential intruders can’t use tools like Wireshark to sniff out packets on anywhere beyond the virtual LAN they’re on, limiting that threat as well.
Network efficiency is a big deal. It can save or cost a business thousands. Breaking up broadcast domains greatly increases network efficiency by limiting the number of devices involved in communication at a time.
Often, network engineers choose to construct virtual LANs on a per-service basis, separating out important or network intensive traffic like a SAN or VOIP. Some switches also allow an administrator to prioritize VLANs, giving more resources to more demanding traffic.
It would be terrible to need to build an independent physical network to separate out traffic. Imagine the kraken of cabling that you’d have to battle. That’s to say nothing for the increased hardware cost and power draw. It would also be wildly inflexible. VLANs solve all of these problems by virtualizing multiple switches on a single piece of hardware.
VLANs provide a high degree of flexibility to network admins through a convenient software interface. Say two departments switch offices. Does the IT staff have to move around hardware to accommodate the change? No. They can just reassign ports on the switches to the correct VLANs. Some VLAN configurations wouldn’t even require that. They’d dynamically adapt. These VLANs don’t require assigned ports. Instead, they’re based on MAC or IP addresses. Either way, there’s no shuffling of switches or cables required.
Static vs. Dynamic VLANs
There are two basic types of VLANs, categorized by the way machines are connected to them. Each type has strengths and weaknesses that should be taken into account based on the particular network situation.
Static VLANs are often referred to as port based VLANs because devices join by connecting to an assigned port. This guide has only used static VLANs as examples so far.
In setting up a network with static VLANs, an engineer would divide divide up a switch by its ports and assign each port to a VLAN. Any device that connects to that physical port will join that VLAN.
Static VLANs provide very simple and easy to configure situation, and don’t rely too heavily on software. However, it’s difficult to restrict access within a physical location because an individual can simply plug in. Static VLANs also require a network admin to change port assignments in case someone on the network changes physical locations.
Dynamic VLANs rely heavily on software, and allow a high degree of flexibility. An administrator can assign MAC and IP addresses to specific VLANs, allowing unencumbered movement in the physical space. Machines in a dynamic virtual LAN can move anywhere within the network and remain on the same VLAN.
Even though Dynamic VLANs are unbeatable in terms of adaptability, they have some serious drawbacks. A high-end switch has to take on the role of a server known as a VMPS(VLAN Management Policy Server) to store and deliver address information to the other switches on the network. A VMPS, like any server, requires regular management and maintenance.
Attackers can spoof MAC addresses and gain access to dynamic VLANs, adding another potential security challenge.
Setting Up A VLAN
What You Need
There are a couple of basic items that you need to set up a VLAN or multiple VLANs. As stated before, there are a number of different standards, but the most universal one is the IEEE 802.1Q. That’s the one that this example will follow.
Technically, you don’t need a router to set up a VLAN, but if you want multiple VLANs to interact, you’re going to need a router.
Many modern routers support VLAN functionality in some form or another. Home routers might not support VLAN or only support it in a limited capacity. Custom firmware like DD-WRT does support it more thoroughly.
Speaking of custom, you don’t need an off-the-shelf router to work with your virtual LANs. Custom router firmware is usually based on Linux or FreeBSD, so you can build your own router using either one of those open source operating systems. All of the routing functionality that you need is available for Linux, and you can custom configure a Linux install to tailor make your router just the way you want it. For something that’s more feature-complete, look into pfSense. pfSense is an excellent distribution of FreeBSD built to be a robust open source routing solution. It supports VLANs and includes a firewall to better secure the traffic between your virtual networks.
Whichever option you choose, ensure that it supports the VLAN features that you want.
Switches are at the heart of VLAN networking. They’re where the magic happens. However, you need a managed switch in order to take advantage of VLAN functionality.
To take things a level higher, literally, there are Layer 3 managed switches available. These switches are able to handle some Layer 3 networking traffic and can take the place of a router in some situations. It’s important to keep in mind that these switches aren’t routers, and their functionality is limited. They are an option, if the situation warrants it.
The network interface cards that you use on your client machines should support 802.1Q. Chances are, they do, but it’s something to look into before moving forward.
Here’s the hard part. There’s thousands of different possibilities for how you can configure your network. No single guide can cover all of them. At their heart, the ideas behind nearly any configuration are the same, and so is the general process.
Setting Up The Router
You can get started in a couple of different ways. You can either connect the router to each switch or each VLAN. If you opt for just each switch, you will need to configure the router to differentiate the traffic.
You can then configure your router to handle passing traffic between VLANs.
Configuring The Switches
Assuming that these are static VLANs, you can enter your switch’s VLAN management utility through its web interface and begin assigning ports to different VLANs. Many switches use a table layout that allows you to check off options for the ports.
If you’re using multiple switches, assign one of the ports to all of your VLANs and set it as a trunk port. Do this on each switch. Then, use those ports to connect between the switches and spread your VLANs across multiple devices.
Finally, getting clients on the network is pretty self-explanatory. Connect your client machines to the ports corresponding to the VLANs that you want them on.
VLAN At Home
Even though it might not seen like a logical combination, VLANs actually have a great application in the home networking space, guest networks. If you don’t feel like setting up a WPA2 Enterprise network in your home and individually creating login credentials for your friends and family, you can use VLANs to restrict the access your guests have to the files and services on your home network.
Many higher end home routers and custom router firmwares support creating basic VLANs. You can set up a guest VLAN with its own login information to let your friends connect their mobile devices. If your router supports it, a guest VLAN is a great added security layer to prevent your friend’s virus-riddled laptop from screwing up your clean network.