VLAN | What is a virtual local area network?

Vir­tu­al­iza­tion operates with memories, computing power, software and network tech­nol­o­gy: VLAN describes a virtual, purely logical network based on an actual physical network. How does a virtual LAN work?

These days, physical networks are mostly based on one or several switches. These are devices that regulate data traffic between par­tic­i­pants. This means that all network cables are connected to the switch, enabling com­mu­ni­ca­tion between the various computers. In the meantime such switches can connect hundreds of devices to each other, ensuring rel­a­tive­ly un­in­ter­rupt­ed com­mu­ni­ca­tion. It can also make sense, however, to divide up large networks, without changing their physical in­stal­la­tion.

A virtual local area network (VLAN) is a smaller logical segment within a larger, physical, wired network. This means that the various stations are combined as a separate network, ir­re­spec­tive of the site: as long as they are combined within the same LAN, they can all be combined within a single VLAN. It's not a problem if the LAN extends to several switches. The only important thing is that the switch should also be VLAN-enabled. Managed switches are required to establish VLANs.

VLANs can be set up in different ways. The tech­nol­o­gy differs, depending on the type. In practice, there are two types: port-based VLANs and tagged VLANs. In many cases, network ad­min­is­tra­tors will use a mixture of these two types to carry out their in­stal­la­tions and al­lo­ca­tions.

In a switch, each network par­tic­i­pant is routed via a port, which is basically a socket into which the cor­re­spond­ing network cable that leads to each computer is then plugged (however, ports are also used to connect switches to each other). If you now want to turn this one physical network into two VLANs, the cor­re­spond­ing ports need to be allocated to the desired virtual network.

Although port-based VLAN in­stal­la­tions are mainly used in small networks and are then only created within a single switch, con­fig­u­ra­tion is also possible across several switches. Port 1 to 3 on the first switch and Port 1 on the second switch can be plugged into the same VLAN together. However, this requires the switches to be connected to each other via two cables – a different con­nec­tion for each VLAN.

This means that dis­tri­b­u­tion of the packages takes place via the switches them­selves. Ad­min­is­tra­tors decide which ports should be allocated to which VLAN, so the VLAN is static. If VLANs are to be dif­fer­ent­ly con­fig­ured, the ports in the switch con­fig­u­ra­tion need to be re­al­lo­cat­ed. In addition, each port – and each connected device – can only be part of a single VLAN. For a device from one VLAN to com­mu­ni­cate with another, the router forwards the message parcels, as is the case with com­mu­ni­ca­tion between a home network and the Internet.

For tagged VLANs, al­lo­ca­tion to VLANs is more dynamic: instead of being de­ter­mined in the switch, a tag in the frame of the message package is re­spon­si­ble for al­lo­ca­tion. This is why this tech­nol­o­gy is also known as frame-based, as opposed to port-based networks. The tag contains in­for­ma­tion about the current VLAN, allowing a switch to detect in which segment com­mu­ni­ca­tion takes place and route the message ac­cord­ing­ly.

A VLAN tag is 32 bits long and appears in the Ethernet frame directly after the MAC address of the sender. The tag starts with a two byte long protocol ID, the tag protocol iden­ti­fi­er (TPI), which indicates whether a VLAN ID has been provided. If a VLAN is tagged in the frame, these packets have the value 0x8100. The frame then refers to the priority of the message in three bits. This is followed by one bit for the canonical format iden­ti­fi­er (CFI). This position is only used to ensure the com­pat­i­bil­i­ty between the Ethernet and the token ring.

The protocol only notes the actual VLAN ID (VID) in the last twelve bits. The length of the frame section means that 4,096 different VLANs are available. Each VLAN receives its own number. Some network interface cards also support VLAN tagging. Linux itself can be used as a switch to support the standard, while Windows users depend on the man­u­fac­tur­er of their network interface card. The VLAN can then be set via the device operator.

The frame principle presented here uses the standard IEEE 802.1q. This is the most fre­quent­ly used variant. In reality, there are other options for including VLAN tags in a message package. Cisco, for example, uses the inter-switch link protocol (ISL) for its switches. This protocol en­cap­su­lates the entire data frame in order to enable several VLANs.

The advantage of a tagged VLAN compared to one that functions via port al­lo­ca­tion is the con­nec­tion between the various switches. Port-based systems require at least two cables between the switches, as each virtual LAN requires its own con­nec­tion. A single cable suffices for trunking in tagged VLANs, as dis­tri­b­u­tion takes place via the in­for­ma­tion of the frames. The switch detects the correct VLAN and sends it on to the cor­re­spond­ing second switch. The tag is then removed and the package is routed to the correct recipient.

Why make the extra effort to divide a larger LAN into several small VLANs?

If a new par­tic­i­pant wants to join a LAN, the device must be wired up to a switch. If an employee within the company changes teams and now has to work in a different network, they will either have to change their work­sta­tion or their work­sta­tion will need to be rewired. VLANs have a con­fig­u­ra­tion that is entirely based on software. The ad­min­is­tra­tor can flexibly allocate the same computer to another VLAN.

To ensure that unau­tho­rized persons do not gain access to sensitive data, it is a good idea to restrict the network to a small group. In a VLAN, the broadcast domain is re­strict­ed to just a few stations, so a broadcast can't reach persons for whom the in­for­ma­tion is not intended.

Improved per­for­mance is also achieved by reducing the broadcast domain. Broadcast messages no longer have to pass through the entire network. Messages which need to be sent to all network par­tic­i­pants, but only intended to reach a certain group of persons, result in un­nec­es­sary traffic. A VLAN minimizes un­nec­es­sary load on the bandwidth.

VLANs connect a logical group at different work­sta­tions. In a corporate network, for example, there may be employees in a logical group whose work­sta­tions are not all at the same site. They may be in different rooms, on different floors or even in different buildings. Con­nect­ing these persons and their computers with each other via LAN would require long cables to be routed back and forth across the company’s premises. As several switches can be combined in one VLAN, wiring can be handled in a far more sensible and orderly way.

Instead of several VLANS, it is also the­o­ret­i­cal­ly possible to set up several LANs that can then be in­ter­con­nect­ed via routers to enable com­mu­ni­ca­tion from network to network. This means ad­di­tion­al ac­qui­si­tions, however, resulting in con­sid­er­able financial ex­pen­di­ture. In­stalling parallel networks also takes a lot of time.