What is a VLAN? A complete guide to virtual LANs

A virtual local area network (VLAN) is a method of segmenting a single physical local area network (LAN) into multiple separate networks through software. This guide covers how VLANs work, the possible benefits they bring, and best practices with regard to configuration and security.

Understanding VLANs: The basics

A VLAN functions by creating logical divisions within a single physical network. This offers practical benefits in terms of security and streamlined management, with VLANs deployed in a wide range of settings.

Why use a VLAN in networking?

In most networks at homes and small offices, all devices share the same broadcast domain. In other words, messages sent to “everyone” are received by all devices. This setup is referred to as a flat network.

While sufficient for many purposes, flat networks can result in excessive broadcast traffic, which reduces speeds. VLANs avoid this problem through network segmentation.

By dividing a network into smaller segments, each with its own broadcast domain, IP address range, and subnet mask, VLANs make large networks more manageable. Administrators gain flexibility and can exercise more granular control. Additionally, by provisioning each individual segment with different rights and privileges, VLANs can enhance security by serving as a means of access control.

Real-life examples of VLAN usage

Though VLANs are mostly used in offices and public spaces, there are use cases in other settings. For example, for landlords of multi-tenant units and homeowners that have roommates, network segmentation brings security benefits and can enhance privacy for all parties. VLANs are also favored over flat networks in smart homes; segmentation makes managing lots of Internet of Things (IoT) devices easier and more efficient.

Still, most VLANs are found in offices. In corporate environments, an administrator might create separate VLANs for different departments. This prevents employees in one department from accessing another department's systems.

In offices with bring your own device (BYOD) policies, VLANs are widely used as a vital security measure. Segmentation can allow employees to access the resources they need while keeping potentially insecure devices away from sensitive systems such as backup servers and databases.

How does a VLAN work?

VLANs operate by adding a tag to network frames (bundles of data that are sent together) to identify which virtual network they belong to. This is accomplished through switches (network devices that, like routers, connect devices within a local network).

In a VLAN, switches sort frames and keep traffic with different tags completely separate. This creates multiple logical networks on a single physical infrastructure without requiring additional routers or cabling.

Layer 2 and Layer 3 VLAN operation

VLANs operate at Layer 2 of the Open Systems Interconnection (OSI) model. Known as the Data Link Layer, Layer 2 is primarily responsible for organizing frames of data. Interaction between VLANs, also known as inter-VLAN routing, requires Layer 3 (Network Layer) switches to route packets between VLANs.

To enable inter-VLAN routing, each VLAN is assigned a unique IP subnet and associated with a switched virtual interface (SVI). Each SVI receives an IP address from its VLAN’s subnet and serves as the default gateway for devices within that VLAN. The Layer 3 switch then routes packets between SVIs using IP addresses, enabling communication across VLANs without the need for an external router.

Tagging and trunking explained

Tagging and trunking are the mechanisms switches use to transport traffic from multiple VLANs across shared physical links. Tagging inserts VLAN information into Ethernet frames, while trunking refers to the configuration and use of links that carry tagged traffic between network devices.

802.1Q tagging and trunking

The Institute of Electrical and Electronics Engineers (IEEE) 802.1Q standard defines how VLAN tags are inserted into Ethernet frames. This is essential in order for switches to identify which VLAN each frame belongs to. When a frame travels across a trunk link, a 4-byte header containing a 12-bit VLAN identifier is added to it. This allows multiple VLANs to share a single link without mixing traffic. When the frame reaches an access port, the tag is removed before delivery to the end device.

Access and trunk ports

Switch ports can operate as access ports or trunk ports depending on whether they’re meant for a single segment or routing traffic between multiple VLANs.

• Access port: These ports transmit data to and from a single VLAN. Since they don’t handle data between multiple VLANs, the frames they send and receive aren’t tagged.
• Trunk port: Trunk ports route data between multiple VLANs. As a result, tagging is utilized to ensure data is transmitted to the correct endpoints.

Inter-VLAN routing

VLANs create logical separation between devices at Layer 2. This means that devices in different VLANs cannot directly communicate. To get around this, Layer 3 routing is accomplished through a process known as inter-VLAN routing. This can be implemented through Layer 3 switches or traditional routers.

Router-on-a-stick method

The router-on-a-stick method is a form of inter-VLAN routing in which a single physical router interface is used to route traffic between multiple VLANs. This interface is configured as a trunk link and divided into multiple logical subinterfaces. Each of these is assigned to a specific VLAN and given its own IP address to act as the default gateway for that network.

Once VLANs and trunking are configured on the connected switch ports, devices in different VLANs can communicate by sending their traffic to the router, which routes it back through the same physical link. This approach is cost-effective and simple to implement, but because all inter-VLAN traffic traverses a single interface, bottlenecks can form in high-traffic environments.

Using Layer 3 switches

Layer 3 switches use SVIs to route traffic between VLANs, with each SVI acting as the default gateway for devices in its respective VLAN. The switch uses hardware rather than software to process routing decisions, which typically results in improved performance compared to router-on-a-stick configurations.

This approach requires more upfront configuration but scales well as more VLANs are added to a network.

Types of VLANs

VLANs are usually categorized based on the type of traffic that they carry.

Data VLAN

Built for general traffic, data VLANs (also called user VLANs) are the most common type of VLAN. They carry all traffic that doesn’t fit under a specialized category. This includes user traffic for everyday purposes like sending emails, browsing the web, and streaming videos. Rather than being optimized for a specific purpose, data VLANs serve as a general segment for a wide range of uses.

Voice VLAN

Configured specifically to carry Voice over Internet Protocol (VoIP) traffic, voice VLANs facilitate real-time conversations. Voice data is time-sensitive and requires a higher priority than regular data traffic to avoid delays and jitter. Deploying a separate voice VLAN allows administrators to apply quality of service (QoS) policies to ensure high-quality, low-latency calls.

Management VLAN

Administrators set up management VLANs to segment admin access away from other types of data. They are often used to manage and monitor switches and routers. Deploying a management VLAN can reduce a system’s attack surface by preventing user devices and threat actors from accessing sensitive tools. It can also help ensure that administrators have sufficient bandwidth for network management, even if user traffic is high.

Native VLAN

Native VLANs are configured on 802.1Q trunk ports (switch ports that carry traffic for multiple VLANs using 802.1Q tags) and process frames that arrive without a VLAN tag. This supports a degree of backward compatibility with devices that don’t support VLAN tagging. Because a trunk normally carries traffic for multiple VLANs using 802.1Q tagging, the native VLAN provides a default VLAN for untagged frames. Frames sent on the native VLAN are transmitted untagged, and untagged inbound frames are assigned to the native VLAN.

Port-based vs. protocol-based vs. MAC address-based VLANs

When it comes to assigning devices to a specific VLAN, there are three main approaches:

• Port-based: Using ports is the simplest way to configure devices on a VLAN and separate network traffic. In this method, VLAN membership is assigned to a device based on the physical ports it uses. Each port is assigned to a specific VLAN, and any device connecting to that port becomes part of its assigned VLAN.
• Protocol-based: This method assigns VLAN membership based on the protocol of a device’s traffic. For instance, a device that handles traffic using VoIP protocols would get assigned to a voice VLAN.
• MAC address-based: Somewhat more complicated, this method requires that the network switch map each device’s Media Access Control (MAC) address to a specific VLAN. The advantage is added flexibility; under this framework, the configuration can be adjusted to move devices between different VLANs.

Advantages and disadvantages of VLANs

VLANs offer significant benefits for network organization, but they also introduce some complexities and challenges.

Benefits of using VLANs

Improved security

VLANs enhance security by isolating network traffic. This can limit an attacker’s lateral movement within a network and potentially restrict access to sensitive data. Administrators can also create specific VLANs for sensitive departments like finance or HR, granting access to only authorized users.

Better network performance

VLANs can improve network performance by reducing unnecessary broadcast traffic. In a large, flat network, a broadcast frame from one device is sent to every other device, consuming significant bandwidth.

By creating smaller broadcast domains, VLANs ensure that broadcast traffic is only forwarded to devices within the same VLAN. This reduces network congestion and frees up bandwidth, leading to a faster and more efficient network.

Simplified management

VLANs simplify network administration by enabling devices to be grouped logically rather than based on their physical location in a network.

For example, if an employee moves to a different office, an administrator can assign them to the correct VLAN using an interface rather than rewiring their connection or conducting any other physical network changes.

Cost efficiency

VLANs can reduce costs by making more efficient use of existing hardware and infrastructure. By segmenting a network logically, they reduce the need for additional routers or switches that would otherwise be needed to segment devices within a network.

Limitations and challenges

Benefits aside, there are issues that must be considered before setting up a VLAN.

Bandwidth considerations

VLANs draw bandwidth from their parent network, which can only handle a limited amount of data at a time. As a result, heavy traffic on the VLAN will reduce bandwidth on the main network (and vice versa). Similarly, when a network is segmented into a large number of VLANs, all of these will still share the same overall bandwidth. If one VLAN is consuming large amounts of bandwidth, this can result in poor speeds across the wider network.

There are some measures that can alleviate problems stemming from limited bandwidth. For one, you can increase your overall bandwidth by upgrading your internet plan. It’s also possible for an administrator to set caps on how much data each VLAN has access to. Setting limits will prevent one VLAN from using so much bandwidth that it affects throughput (effective speed) on other segments.

Configuration complexity

Designing and implementing a VLAN architecture can be complex. It requires a solid understanding of concepts like network topology, trunking, tagging, and inter-VLAN routing.

This complexity can be a challenge for small businesses or organizations without dedicated staff for network configuration and management. The setup and ongoing maintenance demand a higher level of technical expertise compared to a simpler flat network.

Potential misconfigurations

Improper VLAN configuration can lead to significant performance or security issues. For instance, incorrect port assignment can hinder communication between devices, while misconfigured trunk ports can cause traffic from one VLAN to spill over into another and compromise security.

Common VLAN attacks

In addition to the issues outlined above, VLANs are also vulnerable to specific threats that you should be aware of before setting one up.

VLAN hopping

VLAN hopping involves an attacker bypassing a network’s segmentation to intercept data or inject malicious traffic. This is usually achieved using forged tags and can result in data theft, man-in-the-middle (MITM) attacks, or disruption across segregated network segments.

Switch spoofing

Switch spoofing exploits the Dynamic Trunking Protocol (DTP), a proprietary protocol developed by Cisco, a technology conglomerate. DTP is responsible for the creation of trunk links between switches. In switch spoofing attacks, a device can be incorrectly trusted as a peer network switch and granted broader access than intended, potentially giving the attacker access to multiple VLANs.

Double tagging

Double tagging attacks have the potential to allow a threat actor to gain unauthorized access to VLANs and launch further attacks. These attacks work by exploiting the way that network switches handle VLAN tags. If successful, this attack can bypass the intended network segmentation and send the packet to a VLAN chosen by the attacker.

How to secure VLANs

To stay safe from attacks and ensure your network is configured to the highest network security standards, it’s important to be proactive. The measures below can help you secure VLANs and mitigate the risks of configuration issues or exploits.

Using VLAN access control lists (VACLs)

VLAN access control lists (VACLs) enhance security by ensuring only approved devices can exchange traffic in a VLAN segment.

VACLs are implemented by first defining an access list specifying what traffic or devices are permitted within a particular VLAN. Once this is done, a VLAN access map is created to match that traffic using the access list. Within the access map, action clauses are configured to specify whether matched traffic should be forwarded, dropped, or redirected.

Disabling unused ports

Unused ports are a potential avenue of attack. They have the potential to allow threat actors to connect rogue devices, gain unauthorized network access, or even launch denial-of-service (DoS) attacks.

The best method of securing unused ports is to simply disable them. An alternative approach is to assign these ports to an unused VLAN. In this instance, even if an attacker were to breach an unused port, they’d only have access to a network with no traffic.

Correctly configure native VLANs

A poorly configured native VLAN opens up various risks. To ensure security, it’s best to take the following steps:

• Change the default native VLAN: Switching the default native VLAN away from the default ID (usually VLAN 1) is recommended to reduce opportunistic attacks.
• Use a dedicated native VLAN: Creating a dedicated VLAN to carry native VLAN traffic and no other data improves security by limiting the scope of a potential intrusion.
• Avoid user-facing ports: Keeping the native VLAN separate from user-facing ports helps ensure that user data is more segregated.
• Tag native VLAN traffic: Giving native VLAN traffic a unique tag is a good practice that improves control over network traffic and makes it easier to monitor.

How to configure a VLAN

Setting up a VLAN involves configuring logical network segments in a switch.

Basic VLAN configuration steps

While the exact commands for configuring VLAN segments differ between manufacturers, the basic process is largely universal.

1. Determine groupings and prepare IDs: The first step is determining how you want to group devices and preparing IDs, which are numerical and can range from 1 to 4095.
2. Map out the VLAN network: Before proceeding with configuration, it’s best to create a network map or diagram that details exactly how the network will be segmented.
3. Connect devices to appropriate ports: After mapping out the structure, connect devices to the switch ports that they’ve been assigned in the network diagram.
4. Configure ports: Next, decide whether each port will operate in access mode (for end devices like computers and printers) or trunk mode (for links between switches or to routers) and configure the ports accordingly.
5. Set up VLAN specifications: Using the switch’s management interface, create VLANs and assign names to them for easier management.

Note that configuring VLAN specifications requires access to your switch’s management interface, either through a command-line interface or a web-based graphical interface. The commands themselves vary by manufacturer.

Common setup mistakes to avoid

Given the problems associated with a misconfigured VLAN, it’s important to avoid the following setup mistakes during configuration:

• Not having a management VLAN: A management VLAN is a vital security tool that can be used to control access to vital resources and monitor the network. In virtually all setups, a management VLAN is practically essential.
• Incorrect port assignments: An important step in VLAN setup is configuring whether a port is set up as an access or trunk port. Verify these configuration details with your network diagram and avoid the common mistake of putting user devices on trunk ports.
• Mismatch between trunk ports: Misconfiguring trunk ports with different native VLAN IDs on each end is a common issue with VLANs. This can lead to traffic being misrouted, dropped, or even exploited by malicious actors.

Tools and devices you’ll need

In most applications, VLANs need more than just basic unmanaged switches that simply facilitate communication between devices. You need specific hardware to accommodate a segmented network.

• Managed switch: Managed switches are a primary VLAN requirement; they provide interfaces that let you create VLANs and assign specific ports to them.
• Router or Layer 3 switch: If you need to allow communication between segments via inter-VLAN routing, a Layer 3 device is required.