Virtual Local Area Network (VLAN)

A Virtual Local Area Network (VLAN) is a method to logically segment a single physical network switch into multiple independent Layer 2 networks. This segmentation improves network performance, security, and cost-efficiency by isolating devices without requiring separate hardware. VLANs operate at the Data Link Layer (Layer 2) of the OSI model, using MAC addresses to control traffic flow.

---

Key Concepts

Core Definitions

• VLAN (Virtual Local Area Network): A logical partition of a physical switch into multiple isolated Layer 2 networks.
• Layer 2 (Data Link Layer): The OSI layer responsible for frame forwarding using MAC addresses.
• Broadcast Domain: A group of devices that receive a broadcast frame sent by any member of the group.
• Switch: A Layer 2 device that forwards Ethernet frames based on MAC addresses.
• Access Port: A switch port assigned to a single VLAN, typically connected to an end device (e.g., a PC).
• Trunk Port: A switch port that carries traffic for multiple VLANs (used between switches or to routers).
• Default VLAN (VLAN 1): On most switches (e.g., Cisco), all ports belong to VLAN 1 by default unless reconfigured.
• Inter-VLAN Communication: Traffic between different VLANs requires a Layer 3 device (router or Layer 3 switch).

---

How VLANs Work

Logical Segmentation

VLANs create separate broadcast domains on a single physical switch. Devices in one VLAN cannot directly communicate with devices in another VLAN at Layer 2, even if they share the same physical switch.

Example:

• Physical Setup: 1 switch with 4 PCs (PC1, PC2, PC3, PC4).
• VLAN Configuration:
  • PC1 and PC2 → VLAN 10
  • PC3 and PC4 → VLAN 20

Logical Behavior:

• PC1 and PC2 behave as if connected to a dedicated switch (VLAN 10).
• PC3 and PC4 behave as if connected to a separate switch (VLAN 20).
• Broadcasts from PC1 only reach PC2 (not PC3 or PC4).

Visual Representation:

Physical Switch:
┌──────────────────┐
│      SWITCH      │
└──────────────────┘
 |   |   |   |
PC1 PC2 PC3 PC4

Logical Equivalent:
        VLAN 10                  VLAN 20
     ┌─────────────┐         ┌─────────────┐
     │   Switch A  │         │   Switch B  │
     └─────────────┘         └─────────────┘
        |       |               |       |
       PC1     PC2             PC3     PC4

Broadcast Domain Isolation

• Without VLANs: A broadcast from any device floods the entire switch.
• With VLANs: Broadcasts are confined to the originating VLAN.
  • Example: A broadcast from PC1 (VLAN 10) only reaches PC2 (VLAN 10), not PC3 or PC4 (VLAN 20).

---

Why Use VLANs?

Performance Benefits

• Reduced Broadcast Traffic: Limits broadcasts to devices in the same VLAN.
  • Example: 100 devices split into 5 VLANs (20 devices each) → broadcasts affect only 20 devices, not 100.
• Improved Network Efficiency: Less unnecessary traffic on the network.

Security Advantages

• Logical Isolation: Devices in different VLANs cannot communicate directly at Layer 2.
  • Example:
    • Accounting (VLAN 10) and IT (VLAN 20) are isolated.
    • Without Layer 3 routing, users in VLAN 10 cannot access VLAN 20 devices.
• Note: VLANs are not a substitute for firewalls. They provide segmentation but do not enforce advanced security policies.

Cost and Scalability

• Hardware Efficiency: One physical switch can host multiple logical networks.
  • Without VLANs: Each subnet requires a separate physical switch.
  • With VLANs: One switch can serve multiple subnets.
• Reduced Complexity: Less cabling, power consumption, and management overhead.

---

VLAN Communication Rules

Intra-VLAN Communication

• Devices in the same VLAN can communicate directly at Layer 2 (if IP addressing is correct).
• No additional hardware is required.

Inter-VLAN Communication

• Devices in different VLANs cannot communicate directly at Layer 2.
• Requires a Layer 3 device (router or Layer 3 switch) for Inter-VLAN routing.
  • Example: A router with sub-interfaces for each VLAN or a Layer 3 switch with SVIs (Switched Virtual Interfaces).

---

Common VLAN Configurations

Default VLAN Behavior

• On most switches (e.g., Cisco), all ports belong to VLAN 1 by default.
• Implication: Without configuration, all devices are in the same broadcast domain.
• Best Practice: Change default VLAN assignments for security and segmentation.

VLAN Tagging (IEEE 802.1Q)

• Trunk Ports: Carry traffic for multiple VLANs between switches or to routers.
• Tagging: Adds a VLAN ID (4-byte header) to Ethernet frames to identify the VLAN.
  • Access Ports: Untagged traffic (assigned to a single VLAN).
  • Trunk Ports: Tagged traffic (carries multiple VLANs).

---

Practical Use Cases

Enterprise Network

• Departments: Isolate HR, Finance, and IT into separate VLANs.
• Servers: Place database servers in a dedicated VLAN for security.
• VoIP Phones: Assign to a VLAN separate from data traffic.

Small Office/Home Office (SOHO)

• Employees: VLAN 10 (trusted devices).
• Guests: VLAN 20 (isolated from internal resources).
• IoT Devices: VLAN 30 (e.g., cameras, smart thermostats) to limit access.

---

Common Mistakes to Avoid

• Misunderstanding Layer: VLANs operate at Layer 2, not Layer 3.
• Overestimating Security: VLANs provide segmentation but do not replace firewalls or encryption.
• Ignoring Default VLAN: All ports are in VLAN 1 by default—reconfigure for security.
• Assuming Inter-VLAN Communication: Devices in different VLANs cannot communicate without a router/Layer 3 switch.
• Confusing VLANs and Subnets: VLANs are Layer 2; subnets are Layer 3. They often align but are not the same.

---

VLAN vs. No VLAN: Key Differences

Feature	Without VLAN	With VLAN
Broadcast Scope	Entire switch	Per VLAN only
Isolation	None	Logical isolation
Hardware Needed	One switch per subnet	One switch for multiple subnets
Inter-VLAN Communication	Direct (same network)	Requires Layer 3 device
Security	Low (flat network)	Improved (segmentation)

---

Quick Review: Key Takeaways

• VLANs logically segment a physical switch into multiple Layer 2 networks.
• Each VLAN is a separate broadcast domain.
• Devices in the same VLAN communicate directly; devices in different VLANs require Layer 3 routing.
• VLANs improve performance (reduced broadcasts), security (isolation), and cost-efficiency (fewer switches).
• Default VLAN (VLAN 1) is a security risk—reconfigure ports for proper segmentation.
• IEEE 802.1Q is the standard for VLAN tagging on trunk ports.

---

Learn More

• Standards:
  • IEEE 802.1Q – VLAN tagging standard.
  • OSI Model (ISO/IEC 7498-1) – Layered network architecture.
• Protocols:
  • RFC 791 (IP) – Internet Protocol.
  • Cisco VLAN Configuration Guide – Practical implementation.
• Tools:
  • Wireshark (for analyzing VLAN-tagged traffic).
  • Packet Tracer (for VLAN simulation).