what is the most widely used vlan assignment method

Dynamic VLAN vs. Static VLAN

What's the difference.

Dynamic VLAN and Static VLAN are two different methods of implementing VLANs in a network. In a Static VLAN, the administrator manually assigns ports to specific VLANs, and this configuration remains fixed unless manually changed. This method provides simplicity and stability, as the VLAN assignments do not change unless intentionally modified. On the other hand, Dynamic VLAN uses protocols such as VLAN Membership Policy Server (VMPS) or VLAN Query Protocol (VQP) to dynamically assign VLANs to ports based on certain criteria like MAC address or username. This allows for more flexibility and scalability, as VLAN assignments can be automatically updated as devices connect or disconnect from the network. However, Dynamic VLAN requires additional configuration and management overhead compared to Static VLAN.

Further Detail

Introduction.

Virtual Local Area Networks (VLANs) are an essential component of modern network infrastructure, allowing network administrators to logically segment a physical network into multiple virtual networks. VLANs provide numerous benefits, such as improved security, enhanced network performance, and simplified network management. When it comes to implementing VLANs, there are two main approaches: Dynamic VLAN and Static VLAN. In this article, we will explore the attributes of both Dynamic VLAN and Static VLAN, highlighting their differences and use cases.

Dynamic VLAN

Dynamic VLAN, also known as VLAN assignment based on user authentication, is a VLAN configuration method that dynamically assigns VLAN membership to network devices based on user credentials. This approach leverages protocols such as IEEE 802.1X and RADIUS to authenticate users and dynamically assign them to the appropriate VLAN. Dynamic VLANs offer several advantages over Static VLANs.

• Flexibility: Dynamic VLANs allow for greater flexibility in network management. As users move within the network, their VLAN membership can be automatically updated based on their authentication status. This flexibility is particularly useful in environments where users frequently change their physical location or require access to different resources.
• Enhanced Security: Dynamic VLANs provide an additional layer of security by ensuring that only authenticated users can access specific VLANs. By authenticating users before granting VLAN membership, organizations can prevent unauthorized access to sensitive resources and mitigate the risk of unauthorized network access.
• Reduced Administrative Overhead: With Dynamic VLANs, network administrators can automate the VLAN assignment process, reducing the need for manual VLAN configuration. This automation saves time and effort, especially in large-scale networks with a high number of users and frequent changes in VLAN membership.
• Scalability: Dynamic VLANs are highly scalable, making them suitable for environments with a large number of users. As new users join the network, they can be easily authenticated and assigned to the appropriate VLAN without requiring manual intervention from the network administrator.
• Granular Access Control: Dynamic VLANs enable granular access control by allowing network administrators to define different VLANs for different user groups or roles. This level of granularity ensures that users only have access to the resources and services that are relevant to their specific role, enhancing network security and reducing the risk of unauthorized access.

Static VLAN

Static VLAN, also known as port-based VLAN, is a VLAN configuration method where VLAN membership is manually assigned to network devices based on the physical switch port they are connected to. In Static VLANs, the VLAN assignment remains fixed unless manually changed by the network administrator. While Static VLANs lack the dynamic nature of Dynamic VLANs, they still offer several advantages in certain scenarios.

• Simplicity: Static VLANs are relatively simple to configure and manage. Since VLAN membership is manually assigned to switch ports, there is no need for complex authentication protocols or dynamic assignment mechanisms. This simplicity makes Static VLANs an ideal choice for small networks or environments with limited VLAN requirements.
• Predictability: With Static VLANs, network administrators have complete control over VLAN assignments. This predictability can be advantageous in scenarios where network resources need to be consistently accessible from specific VLANs. By manually configuring VLAN membership, administrators can ensure that devices connected to specific switch ports always belong to the desired VLAN.
• Compatibility: Static VLANs are widely supported by network devices and are compatible with a wide range of network equipment. This compatibility makes Static VLANs a reliable choice for organizations with diverse network infrastructure or legacy devices that do not support dynamic VLAN assignment protocols.
• Stability: Since VLAN membership remains fixed in Static VLANs, there is no risk of unexpected VLAN changes due to user authentication or dynamic assignment mechanisms. This stability can be beneficial in environments where network changes need to be carefully controlled to avoid disruptions or potential security vulnerabilities.
• Performance: Static VLANs can offer slightly better network performance compared to Dynamic VLANs in certain scenarios. Since there is no need for authentication or dynamic assignment processes, network devices connected to Static VLANs can establish connectivity faster, reducing potential latency or delays.

Both Dynamic VLAN and Static VLAN have their own strengths and use cases. Dynamic VLANs provide flexibility, enhanced security, reduced administrative overhead, scalability, and granular access control. On the other hand, Static VLANs offer simplicity, predictability, compatibility, stability, and potential performance advantages in certain scenarios. The choice between Dynamic VLAN and Static VLAN depends on the specific requirements and characteristics of the network environment. Network administrators should carefully evaluate their needs and consider factors such as network size, user mobility, security requirements, and compatibility with existing infrastructure when deciding which VLAN configuration method to implement.

Comparisons may contain inaccurate information about people, places, or facts. Please report any issues.

What is Dynamic VLAN Assignment?

Written by Sean Blanton on May 24, 2021

Share This Article

When it comes to the modern enterprise, few things are more important than network and identity security. With bad actors lurking around every corner (even inside of an organization itself), maintaining a strong, secure network along with keeping credentials safe is of utmost importance to the IT admin. Several network securing tools and techniques are being employed by IT admins today, especially during the global pandemic, but one that has been a foundational approach for many years is dynamic VLAN assignment. Since IT admins are dramatically stepping up the security of their IT environments, some are asking: what is dynamic VLAN assignment and how can it help secure the network?

Network Security with Dynamic VLAN Assignment

The simple answer is that dynamic VLAN assignment (or VLAN steering as it is sometimes called) is an excellent technique used to build on the underlying core strategy to control network access. VLAN assignments build on the use of RADIUS to control access to the network.

Via RADIUS integration, a WiFi access point (WAP) requires not only an SSID and passphrase, but a user’s unique set of credentials to access the network. Once a user has passed credentials through to the WAP to the RADIUS server and directory service, the RADIUS server will reply to the WAP that the user has been authenticated and inform what VLAN they are assigned to.

IT admins configure the system to identify which users and/or groups are assigned to which VLAN. Those VLANs can be set up on the WiFi network for any number of reasons including security and compliance. By segmenting users and authenticating them with their unique credentials, IT admins can increase security significantly. This approach helps separate out critical areas of the network, and can be especially helpful in compliance situations where, for example, the cardholder data environment (CDE) can be separated from the rest of the network making PCI Compliance far easier.

Challenges with Dynamic VLAN Assignments

The challenge with this approach is the overhead for IT admins. Traditionally, to implement dynamic VLAN assignments would require a great deal of infrastructure, configuration, and administration. For starters, IT organizations would need to set up their own FreeRADIUS server and connect that instance to the wireless access points and the identity provider (IdP), often, Microsoft ® Active Directory ® .

In many networks, the IT group would also need to configure endpoints with supplicants so that they could talk to the RADIUS server over the proper protocols. All of this ended up being a significant disincentive for IT admins, and that is why many WiFi networks are secured simply with an SSID and passphrase.

With the introduction of modern cloud RADIUS solutions, however, IT admins can virtually outsource the entire process for RADIUS authentication to WiFi and dynamic VLAN assignments. This Cloud RADIUS offering doesn’t focus on RADIUS only, but also acts as the identity management source of truth that can replace an on-prem Active Directory instance. It is available from the JumpCloud Directory Platform .

Cloud RADIUS and More

JumpCloud Directory Platform is everything a directory service was, and reimagines it for the cloud era. This includes endpoint management , identity and access management, single sign-on, multi-factor authentication, and network authentication tools such as Cloud RADIUS. Relatively new to the JumpCloud Suite is dynamic VLAN assignment functionality, so network administrators can better authorize their users’ access to crucial network resources. This feature just adds one more log to the bright flame of this cloud directory.

Interested in dynamic VLAN assignment and the rest of what the platform has to offer? Contact us , or check out our knowledge base to learn more.

• Remote Work
• User Access

Reduce IT costs and complexity

Sean Blanton is the Director of Content at JumpCloud and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.

Continue Learning with Related Posts

Continue learning with our newsletter.

• Network Fundamentals
• Network Cabling
• Ethernet Protocol
• TCP-UDP Protocol
• IP Protocol
• Supernetting & CIDR
• ICMP Protocol
• Domain Name System (DNS)
• Spanning Tree Protocol (STP)
• VLAN Networks
• Network Address Translation
• Cisco Routers
• Cisco Switches
• Cisco Firewalls
• Cisco Wireless
• Cisco CallManager-CCME
• Cisco Data Center (Nexus/UCS)
• Cisco Services & Technologies
• Palo Alto Networks
• F5 Networks
• Microsoft 365 Security
• SASE & SD-WAN
• Security Service Edge (SSE)
• Web Application Vulnerability Scanners
• VPN Services & Guides
• Windows Servers
• Windows Workstations (XP, 7, 8, 10, 11)
• Linux - Unix
• Virtualization & VM Backup
• OpManager - Network Monitoring & Management
• ManageEngine Firewall Analyzer

EventLog Analyzer

• Network Protocol Analyzers
• IP PBX - Unified Communications
• Security Articles
• Reviews & Interviews
• GFI Network Security
• OpenMosix - Linux Supercomputer
• More Reading

All-in-one protection

Free Download

Ransomware protection.

Download Now!

Free Download!

Get 2 vms for free.

Manage your Network!

Static VLANs

Each of these methods have their advantages and disadvantages and we will be analysing them in great depth to help you decide which would best suite your network.

Depending on the method used to assign the VLAN membership, the switch may require further configuration, but in most cases it's a pretty straight forward process. This page deals with Static VLANs while Dynamic VLANs are covered next.

Static VLAN membership is perhaps the most widely used method because of the relatively small administration overhead and security it provides. With Static VLANs, the administrator will assign each port of the switch to one VLAN. Once this is complete, they can simply connect each device or workstation to the appropriate port.

The picture below depicts an illustration of the above, where 4 ports have been configured for 4 different VLANs:

The screenshot above shows a Cisco switch (well, half of it :>) where ports 1, 2, 7 and 10 have been configured and assigned to VLANs 1, 5, 2 and 3 respectively.

At this point, we should remind you that these 4 VLANs are not able to communicate between each other without the use of a router as they are treated as 4 separate physical networks, regardless of the network addressing scheme used on each of them. However, we won't provide further detail on VLAN routing since it's covered later on.

Static VLANs are certainly more secure than traditional switches while also considerably easy to configure and monitor. As one would expect, all nodes belonging to a VLAN must also be part of the same logical network in order to communicate with one another. For example, on our switch above, if we assigned network 192.168.1.0/24 to VLAN 1, then all nodes connecting to ports assigned to VLAN 1 must use the same network address for them to communicate between each other, just as if this was an ordinary switch.

In addition, Static VLANs have another strong point - you are able to control where your users move within a large network. By assigning specific ports on your switches throughout your network, you are able to control access and limit the network resources to which your users are able to use.

A good example would be a large network with multiple departments where any network administrator would want to control where the users can physically connect their workstation or laptop and which servers they are able to access.

The following diagram shows a VLAN powered network where the switches have been configured with Static VLAN support.

The network diagram might look slightly complicated at first, but if you pay close attention to each switch, you will notice that it's quite simple - six switches with 6 VLANs configured- one VLAN per department, as shown. While each VLAN has one logical network assigned to it, the IT department has, in addition, placed one workstation in the following departments for support purposes: Management, R&D, and HR department.

The network administrator has assigned Port 1 (P1) on each department switch to VLAN 5 for the workstation belonging to the IT department, while the rest of the ports are assigned to the appropriate VLAN as shown in the diagram.

This setup allows the administrator to place any employee in the IT department, anywhere on the network, without worrying if the user will be able to connect and access the IT department's resources.

In addition, if a user in any of the above departments e.g the Management department, decided to get smart by attempting to gain access to the IT department's network and resources by plugging his workstation to Port 1 of his department's switch. He surely wouldn't get far because his workstation would be configured for the 192.168.1.0 network (VLAN 1), while Port 1 requires him to use a 192.168.5.0 network address (VLAN 5). Logically, he would have to change his IP address to match the network he is trying to gain access to, and in this case this would be network 192.168.5.0.

To sum up, with Static VLANs, we assign each individual switch port to a VLAN. The network addresses are totally up to us to decide. In our example, the switches do not care what network address is used for each VLAN as they totally ignore this information unless routing is performed (this is covered in the InterVLAN routing page). As far as the switches are concerned, if you have two ports assigned to the same VLAN, then these two ports are able to communicate between each other as it would happen on any normal layer 2 switch.

Previous - Comparing Old Flat Networks & VLAN Networks   Next - Dynamic VLANs

Your IP address:

91.193.111.216

• All-in-one protection for Microsoft 365

FREE Hyper-V & VMware Backup

Wi-Fi Key Generator

Network and server monitoring.

Follow Firewall.cx

Please enable the javascript to submit this form

Recommended Downloads

• Network Management - Monitor & Alert
• Free Hyper-V & VMware Backup

Bandwidth Monitor

• Patch Manager Plus

Firewall Analyzer

Cisco password crack.

Decrypt Cisco Type-7 Passwords on the fly!

Decrypt Now!

Free PatchManager

Security Podcast

Related Articles

InterVLAN Routing - Routing between VLAN Networks

VTP Protocol - In-Depth Analysis

VLAN Tagging - Understanding VLANs Ethernet Frames

VLAN Security - Making the Most of VLANs

VLAN InterSwitch Link (ISL) Protocol Analysis

Guide to VLANs: What They are, How They Work, and Why They Matter

Quick Definition: A virtual local area network (VLAN) divides a network to limit the number of broadcasts and users' access levels. The "virtual" in VLAN refers to the fact that the local area network is physically unchanged, but a logic layer splits it into multiple pieces.

What are VLANs? [VIDEO]

In this video, Jeremy Cioara discusses the importance of VLANs. Having the same IP subnet is fine for a small network, but too many broadcasts can slow down the network and even its devices. VLANs solve that problem and can enable a “local” network across an entire campus.

How Does a Normal LAN Work?

To understand what a VLAN is, you need to understand how a normal LAN really works. Devices on a switch frequently send broadcasts to get IP addresses , find network resources, and communicate. With a small number of devices, broadcasts are manageable. However, as the number of devices increases, broadcasts can significantly slow down the network.

When devices are plugged into a standard switch, they must be part of the same TCP/IP subnet. For example, on a six-port switch with two devices, one might have an IP of 10.1.1.50/24 and the other 10.1.1.51/24. The /24 indicates they share the same network.

These devices can communicate and access resources, but their broadcasts reach every device on the network. Like traffic on a highway, too many broadcasts can congest the network.  As the network grows, there are more and more broadcasts. If those two computers become 20, which in turn become 200—maybe eventually 2000—the number of broadcasts also increases dramatically.

Broadcasts are a necessary part of network traffic. They need to happen. However, excessive broadcasts lead to a slow network—which is why VLANs matter. 

What are the Different Types of VLANs? 

A virtual local area network (VLAN) divides a network to limit the number of broadcasts and restrict user access to parts of the network they don't need to access. The "virtual" in VLAN refers to the fact that the local area network is physically unchanged, but a layer of logic splits it into multiple pieces.

There are multiple types of VLAN, and each serves different purposes: 

Default VLAN: The initial VLAN to which all switch ports are assigned by default. On most switches, this is VLAN 1. 

Data VLAN : A VLAN designated for user-generated data traffic, isolating it from other types of traffic like voice or management.

Voice VLAN : A VLAN specifically for carrying voice traffic from IP phones, ensuring higher priority and quality of service (QoS).

Management VLAN : A VLAN used for network management traffic, such as SNMP, SSH, or Telnet. This provides a secure channel for managing network devices.

Native VLAN : The VLAN assigned to untagged traffic on a trunk port 802.1Q . It is typically used for backward compatibility with devices that don't support VLAN tagging.

What are the Benefits of VLANs? 

A VLAN breaks a single network into multiple sections by logically separating ports and switches, creating multiple standalone networks from the same backbone. This enhances security and reduces the number of broadcasts individual devices receive.

Imagine three switches chained together, each with six ports and a device plugged into each port. By assigning different ports to different VLANs, you create separate networks. For example, you could have VLANs for the accounting and sales teams, keeping their traffic and communications isolated.

This separation is crucial for security, preventing unauthorized access between departments. If you've seen the 1960s TV show Get Smart, you'll remember how often Maxwell Smart demanded the Cone of Silence . Well, the Cone of Silence was kind of the original VLAN. With one, what the accounting department says among themselves is kept private, and what the sales department says on their network can't be listened in on. 

A VLAN is an improvement on a LAN because you get a security boundary and broadcast separations.

3 Different Methods to Assign VLAN Membership to Network Devices

Assigning VLAN membership to network devices helps separate traffic and increase security. There are three general methods used to decide which VLANs each device should be assigned to: 

Port-based VLAN assignment : This method assigns VLAN membership based on the physical switch port. Each port is statically assigned to a VLAN, and any device connected to that port becomes part of the assigned VLAN. This is one of the simplest methods to separate network traffic and limit access to sensitive data. 

MAC address-based VLAN assignment: VLAN membership is determined by the connected device's MAC address. The switch uses a table to map each MAC address to a specific VLAN, allowing dynamic assignment as devices connect to the network. This method reduces the need for manual configuration and provides flexibility for users who change locations frequently. 

Protocol-based VLAN assignment: VLAN membership is assigned based on network protocol, such as IP or VOIP. This method allows traffic from different protocols to be segregated into different VLANs, helping optimize traffic management and improving security. 

Network administrators may use different methods for different parts of the network depending on the network's needs. For example, users who frequently move around the building due to shared desks may be assigned VLAN membership by MAC address, while VOIP devices use protocol-based VLAN assignment. This tailored approach optimizes network performance and security. 

How Many Switches Can a VLAN Support?

The beauty of VLANs is that they transcend switches. This allows VLANs to function across a network as they are not limited to a single switch.  

Imagine that the accounting department sends a broadcast. The switch knows what other ports are assigned to the accounting department because you configured that. On top of that, the switch looks for what Cisco calls trunk ports and what other vendors call a tagged port.

What happens is that the accounting broadcast goes out that "trunk" or "tagged" port to other connected switches, and the broadcast gets a little tag on the end that tells the next switch what VLAN it belongs to.

VLANs are numbered, they're not named. So, in our example, maybe the accounting VLAN is VLAN 10. So, as the message gets forwarded down to a different switch, the broadcast gets tagged for VLAN 10, and each subsequent switch recognizes which VLAN the message belongs to and handles it accordingly.

Trunks always forward all the traffic and still allow the VLANs to communicate. That means you can have a campus-wide VLAN network in which each separate department is separated logically through these VLANs.

How is Voice Over IP (VOIP) Affected by VLANs?

Voice over IP is a great practical example of how VLANs enhance network operations. VoIP is a huge and growing technology — it's basically plugging a phone into a network.

From a security perspective, that seems like a terrible idea. Because now you have phone conversations going across the network in the clear. There are already tools out there. One is, in fact, very popular: WireShark. WireShark allows you to sniff network packets, take phone conversations, and convert them to .wav files. So all you have to do is just double-click the .wav and hear the phone conversation.

It gets even worse when you find out that the right design for this is to daisy-chain computers from phones to save on cabling infrastructure. That could potentially mean that an entire organization's phone conversations pass through one network—and that's a lot of data that could interrupt or be interrupted by the other, standard network traffic.

With VLANs, you can completely separate those phones into their own logically separated network. In that place, the computers cannot touch them, and vice versa.

They're completely isolated from everybody, both from a security perspective, people can't get in on WireShark and start tapping phone conversations, but also from a broadcast perspective: all that computer data will never impact the phones themselves and how they're performing.

What are the Security Concerns on a VLAN?

VLANs are more secure than LANs because they limit access to specific parts of the network.  Imagine a less-than-scrupulous user on your network. The nature of a LAN means they can access all the resources of anyone else on the network. That bad user could fully access devices everywhere else, and if they decide to steal all the network data from another user, it's nearly impossible to prevent. 

VLANs are inherently more secure because they limit network access; however, there are some security concerns to be aware of. 

VLAN Hopping: Attackers can exploit switch misconfigurations to send packets to VLANs they shouldn't have access to. This can be done through techniques like double tagging or switch spoofing.

Inter-VLAN Routing : If not properly secured, routing between VLANs can expose sensitive data to unauthorized users. Access control lists (ACLs) must be used to regulate traffic between VLANs.

Broadcast Storms: Although VLANs reduce the scope of broadcast traffic, misconfigurations or certain attacks can still lead to broadcast storms that can degrade network performance or lead to denial of service (DoS).

To mitigate these concerns, ensure VLANs are properly configured and regularly monitor network traffic. Implementing additional security measures such as ACLs, secure trunk configurations, VLAN pruning, and encrypted communication protocols can also limit security risks.

Wrapping Up

With the security and efficiency boosts a network sees from implementing them, it's no wonder that virtual local area networks are the hallmark of a serious campus-wide network. Wiring them and configuring their operation usually requires careful attention and significant training. 

Looking to advance your career as a virtualization engineer? Enroll in our VMware VCP-DCV training course today!

By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy .

Recommended Articles

I have read and understood the privacy policy and am able to consent to it.

• Product Product
• Browse training
• All courses
• Certification training
• New training
• Solutions Solutions
• Active Military
• All Solutions
• Resources Resources
• Learner stories
• Why e-learning?
• Customer reviews
• Study Plans
• Ultimate Cert Guides
• Company Company
• Become a Trainer
• Transparency in Coverage
• Support Support
• Help Center

Let's chat!

Best VPN Routers for Astrill VPN Applet in 2024 & 2025

Top router options & essential internet security tips for college students, best vpn travel router: top portable router for secure connections, what is a wireless router understanding the basics (flashrouters faq), what are the most popular & best dd-wrt routers this year, how to set up a repeater bridge in dd-wrt, the difference between wireless-n, wireless-ac, wireless-ad, wi-fi 6, and wi-fi 6e, the differences between single band, dual band, and tri band routers (flashrouters faq), featured router.

AX3000 WiFi 6 VPN FlashRouter

• Perfect for Medium Homes
• Perfect for 20-30 Devices

• SHOP ROUTERS
• Sign Up for News, Updates and an Exclusive Coupon

VLAN (Virtual Local Area Networks)—What Are The Different Types of VLANs? How Does VLAN Work?

In the ever-evolving world of networking, Virtual LANs (VLANs) have emerged as a crucial tool for achieving efficient and secure communication within networks. As networks continue to grow in complexity, understanding VLANs and their benefits becomes essential for network administrators.

What is VLAN?

A VLAN, also referred to as a Virtual LAN, is a digital collection of devices that belong to a physical network. It provides the ability for network administrators to divide and separate devices into distinct broadcast domains, regardless of their physical connection to the network infrastructure. The purpose of VLAN is to improve network flexibility, safeguard security, and optimize performance.

What Are Some Common Types of VLANs?

There are different approaches to implementing VLANs, each suited to specific network requirements. Network devices, such as computers, servers, and network switches, are assigned to specific VLANs. There are a few types of common VLAN designations, as outlined below.

Port-based VLAN

Port-based VLANs assign devices to specific VLANs based on the physical switch port they are connected to. This method is widely used and offers a simple and effective way to segregate network traffic and improve network security. By assigning devices to VLANs based on their physical port, network administrators can control and manage network traffic more easily.

MAC-based VLAN

MAC-based VLANs assign devices to VLANs based on their Media Access Control (MAC) addresses. This type of VLAN provides granular control over device assignment and is useful in environments with frequent device mobility.

Protocol-based VLAN

Protocol-based VLANs classify traffic based on network protocols. This type of VLAN is often used to separate traffic for different applications or services, such as voice and video traffic or specific protocols like Internet Protocol Security (IPSec).

VLAN Network Topology

Take a look at an example of a VLAN network topology.

How Does VLAN Work?

Virtual LANs work by logically segmenting a physical network into multiple virtual networks. Instead of relying solely on physical connections, VLANs use software-based configurations and network switches to define and enforce network boundaries. Here’s a breakdown of how VLANs work:

VLAN Identification

Each VLAN is assigned a unique identifier called a VLAN ID or VLAN tag. Common VLAN ID ranges from 1 to 4094, although some switches reserve certain IDs for specific purposes.

The VLAN ID is embedded in the Ethernet frame as it travels through the network, allowing switches to identify which VLAN the frame belongs to.

VLAN Membership

Network devices, such as computers, servers, and network switches, are assigned to specific VLANs. VLAN membership is typically determined by one of the following methods: Port-Based VLAN, MAC-Based VLAN, Protocol-Based VLAN.

VLAN Communication

Devices within the same VLAN can communicate with each other as if they were connected directly, regardless of their physical location on the network.

When a device sends an Ethernet frame, the frame is tagged with the appropriate VLAN ID before leaving the device.

Network switches use VLAN tags to forward frames only to the ports associated with the corresponding VLAN. Frames within a VLAN do not cross VLAN boundaries, preventing unwanted communication between different VLANs.

Inter-VLAN Communication

In some cases, it may be necessary for devices in different VLANs to communicate with each other. Inter-VLAN communication can be achieved through various methods, including:

Router: A router with multiple network interfaces can be used to connect different VLANs. The router acts as a gateway, allowing traffic to flow between VLANs while enforcing security policies and controlling access.

Layer 3 Switch: Some network switches have Layer 3 capabilities, allowing them to perform routing functions between VLANs without the need for a separate router.

VLAN Trunking: Trunk ports on network switches can carry traffic for multiple VLANs simultaneously. These trunk links enable VLAN communication by tagging Ethernet frames with the appropriate VLAN IDs.

By using VLANs, network administrators can effectively isolate and secure network traffic, enhance performance by reducing broadcast traffic, and simplify network management by grouping devices logically rather than physically. VLANs provide flexibility, scalability, and increased control over network resources, enabling organizations to optimize their network infrastructure according to their specific needs.

What is VLAN Tagging?

VLAN tagging is a technique employed to distinguish and classify Ethernet frames related to different VLANs while they move through a network structure.

VLAN Tag Structure

A VLAN tag consists of four bytes (32 bits) added to the Ethernet frame’s original header. The VLAN tag structure includes the following fields:

Tag Protocol Identifier (TPID): A two-byte field set to a specific value (usually 0x8100) that indicates the presence of a VLAN tag.

Priority Code Point (PCP): A three-bit field used for Quality of Service (QoS) prioritization . It defines the priority level of the frame.

Canonical Format Indicator (CFI): A one-bit field that was used in older VLAN implementations but is no longer significant.

VLAN Identifier (VID): A 12-bit field that represents the VLAN ID or VLAN tag number. It identifies the specific VLAN to which the frame belongs.

VLAN Tagging Methods

There are two common methods for VLAN tagging.

IEEE 802.1Q Tagging: This is the most widely used standard for VLAN tagging. It is often used in Ethernet networks. It inserts the VLAN tag between the source MAC address and the EtherType/length fields of the Ethernet frame. The VLAN tag structure is as described above.

IEEE 802.1ad QinQ Tagging (also known as Provider Bridging or Stacked VLANs): This method allows for multiple levels of VLAN tagging. It adds an additional VLAN tag, known as the service provider tag or outer tag, to the Ethernet frame. The original VLAN tag becomes the inner tag. QinQ tagging enables service providers to maintain VLAN segregation across their networks.

VLAN Tagging and Switches

Switches are the primary devices that handle VLAN tagging.

When a switch receives an Ethernet frame with a VLAN tag, it examines the VLAN tag’s VID field to determine the VLAN to which the frame belongs. Based on the VLAN information, the switch forwards the frame only to the ports associated with that VLAN or performs additional actions, such as applying VLAN-specific policies or QoS settings. Switches also remove the VLAN tag from frames when forwarding them out of access ports connected to devices that do not support VLAN tagging, such as end-user devices.

What Do Tags Have To Do With VLAN Trunking

VLAN tagging is particularly important when dealing with VLAN trunking.

Trunk ports are used to carry traffic for multiple VLANs simultaneously between switches or between switches and routers. Trunk links preserve the VLAN tag as frames traverse the network, ensuring that frames reach the correct VLANs on the receiving switch or router.  Trunking protocols like IEEE 802.1Q enable switches to identify and process VLAN tags on trunk ports.

VLAN tagging plays a crucial role in maintaining VLAN integrity, ensuring proper VLAN membership recognition, and facilitating VLAN communication across network infrastructure. It allows for the differentiation and proper handling of frames belonging to different VLANs, enabling the implementation of VLAN-based security, QoS prioritization, and network segmentation.

What Are The Key Differences Between Tagged And Untagged Ports?

Tagged ports, untagged ports.

Can be associated with multiple VLANs

Can be associated with only a single VLAN

VLAN Tagging

Expects frames to have VLAN tags

Assumes frames are untagged

Frame Handling

Preserve and forward tagged frames based on the VLAN information

Remove VLAN tags from frames

Port Purpose

Used for inter-switch connections, router links, or connections to devices that support VLAN tagging

Typically used for end-user devices

It’s important to configure the correct port mode (untagged or tagged) to ensure proper VLAN communication and avoid misconfigurations that could result in communication issues or security vulnerabilities within the network.

What Are The Benefits And Advantages Of Virtual Local Area Networks?

VLAN connections offer several advantages that contribute to improved network efficiency, security, and manageability.

Enhanced Network Security

Isolation of Sensitive Data: VLANs allow for the segregation of sensitive data within separate VLANs, ensuring that critical information remains isolated from other parts of the network. This isolation adds an extra layer of security, preventing unauthorized access and limiting the potential impact of security breaches.

Segmentation of Network Traffic

VLANs divide the network into separate broadcast domains, effectively segregating traffic. This segmentation prevents unauthorized users or malicious activities in one VLAN from affecting devices or data in other VLANs, improving overall network security.

Improved Network Performance

Reduced Broadcast Traffic: VLANs limit the scope of broadcast traffic, ensuring that broadcasts are confined within the VLAN where they originated. This reduction in broadcast traffic helps to minimize network congestion, optimize bandwidth utilization, and improve network performance.

Enhanced Bandwidth Allocation: VLANs enable administrators to allocate network resources more effectively by separating devices based on their network requirements. High-bandwidth devices or applications can be assigned to their dedicated VLANs, preventing them from consuming excessive resources and impacting the performance of other devices or applications.

Simplified Network Management

Easy Reconfiguration and Scalability: VLANs simplify network reconfiguration and scalability. By assigning devices to VLANs based on their logical attributes rather than a physical location, administrators can easily add, remove, or relocate devices without the need for physical rewiring. This flexibility streamlines network management and reduces operational costs.

Centralized Control and Monitoring: VLANs enable centralized management and monitoring of network activity. Administrators can apply VLAN-specific policies, such as access controls and quality of service settings, from a central location. This centralized control simplifies network management tasks, improves troubleshooting efficiency, and enhances overall network visibility.

Optimized Resource Utilization

VLAN connections optimize the utilization of network resources. By logically grouping devices based on their network requirements, VLANs ensure that resources such as bandwidth, server capacity, and network services are allocated efficiently. This optimization results in improved network performance, reduced bottlenecks, and a better user experience.

Flexibility and Adaptability

VLANs offer flexibility in network design and adaptability to changing organizational needs. Administrators can easily create, modify, or remove VLANs to accommodate evolving network requirements, departmental changes, or new applications without significant disruption to the overall network infrastructure.

Static Vs Dynamic VLANs: A Brief Introduction

Static vlans, dynamic vlans.

Devices are assigned to specific VLANs manually based on outlined criteria and remain fixed unless manually changed

Devices are automatically assigned to specific VLANs based on authentication or other criteria

Configuration

Each port and device are manually configured—typically through the switch’s configuration interface

Devices automatically assigned to VLANs based on the rules set by the network administrator or the authentication mechanism used

Simplicity, Security, Simplicity

Automation, flexibility, reduced administrative overhead

Disadvantages

Manual configuration, Scalability

Complexity, potential security risks

Static VLANs and dynamic VLANs are two different approaches to configuring Virtual LANs (VLANs) in a network. Each has its advantages and use cases. Let’s explore the differences between static and dynamic VLANs:

What Is Static VLAN?

Definition: In a static VLAN configuration, network administrators manually assign devices to specific VLANs based on criteria such as switch ports, MAC addresses, or network protocols. The VLAN assignments remain fixed unless manually changed by the administrator.

Configuration: Administrators must explicitly configure each switch port and the devices connected to them to be members of specific VLANs. This is typically done through the switch’s configuration interface.

What Are The Advantages of Static VLAN?

Static VLANs are easy to configure and manage, making them a straightforward choice for smaller networks or environments with stable device configurations.

Static VLANs provide granular control over VLAN membership, reducing the risk of unauthorized access and potential VLAN hopping attacks.

Predictability

The VLAN assignments do not change unless explicitly modified, ensuring predictable network behavior.

What Are The Disadvantages of Static VLAN?

Manual Configuration: The manual assignment of devices to VLANs can be time-consuming and cumbersome, especially in larger networks or in environments where devices frequently move or change.

Scalability: As the network grows, the management overhead of static VLANs can become challenging, and changes may require a significant amount of manual effort.

What Is Dynamic VLAN?

Definition: Dynamic VLANs, also known as VLAN membership policy-based VLANs, use protocols such as IEEE 802.1x or Cisco’s Dynamic Host Configuration Protocol (DHCP) snooping to dynamically assign devices to VLANs based on authentication or other criteria.

Dynamic VLANs automatically assign devices to VLANs based on the rules set by the network administrator or the authentication mechanism used.

What Are The Advantages of Dynamic VLAN?

Dynamic VLANs automate the process of assigning devices to VLANs, making them more efficient and scalable for large networks or environments with frequent changes in device connections.

Flexibility

Devices can be dynamically assigned to VLANs based on user credentials, device characteristics, or other attributes, providing more dynamic network access control.

Reduced Administrative Overhead

Dynamic VLANs simplify network management and reduce the need for manual VLAN configuration.

What Are The Disadvantages of Dynamic VLAN?

Setting up and configuring dynamic VLANs may require more advanced knowledge and additional infrastructure, such as an authentication server for IEEE 802.1x.

Potential Security Risks

If the authentication mechanisms are not properly configured or secured, there is a risk of unauthorized devices gaining access to VLANs they should not be part of.

How Can Businesses Use a VLAN Connection To Improve Internal Connections?

In large organizations, departmental segregation is crucial for maintaining data privacy, network security, and efficient collaboration. VLANs provide an effective solution for separating different departments within an organization.

Finance Department

The finance department deals with sensitive financial information, including payroll, budgeting, and financial records. By implementing a dedicated VLAN for finance, organizations can ensure the isolation of sensitive financial data from other departments. This separation protects critical information from unauthorized access and potential security breaches, providing peace of mind to finance teams.

IT Department

The IT department is responsible for managing and maintaining the network infrastructure and devices. By assigning IT devices, such as servers, switches, and routers, to a dedicated VLAN, IT administrators can streamline their network management tasks. This separation allows for more efficient troubleshooting, configuration, and maintenance activities specific to IT infrastructure, without interfering with other departments’ operations.

Marketing Department

The marketing department often handles proprietary campaign strategies, creative assets, and market research data. By implementing a marketing VLAN, organizations can facilitate secure collaboration within the marketing team while preventing non-marketing users from accessing their sensitive data. The VLAN ensures that marketing activities can proceed smoothly while maintaining the confidentiality and integrity of their projects.

How Can VLAN Help Clients Improve Their Online Experience?

The hospitality industry, including hotels, resorts, and conference centers, often provides guest networks for visitors. VLANs play a crucial role in creating secure and efficient guest network environments.

Secure Isolation of Guest Traffic

VLANs allow for the creation of a separate guest network that is isolated from the organization’s internal network. By assigning guest devices to a dedicated VLAN, organizations can ensure the security of their internal resources. This isolation prevents unauthorized access and potential attacks from compromising sensitive data and resources.

Seamless Connectivity for Visitors

VLANs provide a seamless connectivity experience for visitors, allowing them to connect to the guest network without disrupting the organization’s primary network infrastructure. By implementing VLANs, organizations can provide controlled and secure connectivity to guests, enabling them to access the internet and necessary services while maintaining network security and performance.

How Can VLAN Help Your Business Improve Internal Communication?

Voice over Internet Protocol (VoIP) systems have become increasingly popular for business communication. VLANs offer significant benefits when it comes to separating voice and data traffic within these systems.

Quality of Service Prioritization

VLANs enable the segregation of voice and data traffic, allowing organizations to prioritize voice traffic and ensure high-quality communication. By assigning voice devices to a dedicated VLAN, network administrators can prioritize voice packets, reducing latency, packet loss, and ensuring a reliable communication experience for users.

Efficient Resource Utilization

Separating voice and data traffic through VLANs enables organizations to allocate network resources more efficiently. By prioritizing critical voice traffic over regular data traffic, VLANs help ensure that voice communication remains smooth and uninterrupted, even during periods of heavy network utilization. This resource allocation optimization leads to an overall improvement in network performance and user satisfaction.

What Is The Difference Between LAN and VLAN?

LAN (Local Area Network) and VLAN (Virtual LAN) are two distinct concepts related to computer networks that are commonly used.

Scope and Physical Infrastructure

Connects devices within a small area, usually using the same physical infrastructure.

Allows for logical division and separation of network traffic, even if not in the same location physically.

Traffic Segmentation and Isolation

All devices that are interconnected share the identical broadcast domain.

Allows for the segmentation and separation of network traffic.

VLAN Tagging and Logical Separation

No built-in distinction or recognition of traffic associated with various groups or departments.

Utilizes tagging to Ethernet frames in order to identify the specific VLAN they are a part of.

Flexibility and Scalability

Making changes to expand or reconfigure the LAN often involves physical alterations, like adding more switches or extending network cabling.

Allow for the creation, modification, or removal of virtual networks without the need for any physical adjustments to the underlying LAN infrastructure.

A local area network (LAN) is a network that connects devices within a small area, like an office, school, or house. It usually includes switches, routers, and connected devices that all use the same physical infrastructure.

On the other hand, a virtual LAN (VLAN) is a group of devices within a LAN that are logically organized together. It gives network administrators the ability to create virtual networks that spread throughout the physical LAN infrastructure, allowing for logical division and separation of network traffic.

In a conventional local area network (LAN), all devices that are interconnected share the identical broadcast domain. Consequently, any broadcast traffic, like requests for Address Resolution Protocol (ARP) or packets for network discovery, will be received by all devices within the LAN.

On the other hand, virtual local area networks allow for the segmentation and separation of network traffic. Devices that belong to the same VLAN can communicate with each other as if they were directly connected, regardless of their physical placement across various switches or network segments. VLANs establish logical boundaries that limit the reach of broadcast and communication, thereby improving security and network performance.

In a local area network (LAN), devices communicate using Ethernet frames and there is no built-in distinction or recognition of traffic associated with various groups or departments.

Virtual LANs (VLANs) utilize VLAN tagging, which includes adding extra information, tags, to Ethernet frames in order to identify the specific VLAN they are a part of. These VLAN tags indicate the frame’s membership in a VLAN and enable switches to process and forward the frames based on their assigned VLAN.

Flexibility and scalability are key factors to consider when implementing a LAN or VLAN network. While a LAN is typically set up using a specific physical infrastructure, with devices connected via network switches and routers, making changes to expand or reconfigure the LAN often involves physical alterations, like adding more switches or extending network cabling.

On the other hand, VLANs offer a higher level of flexibility and scalability. They allow for the creation, modification, or removal of virtual networks without the need for any physical adjustments to the underlying LAN infrastructure. Devices can be logically assigned to VLANs based on their specific network requirements, allowing for more dynamic network management.

What Is The Best Router For Setting Up and Managing Your VLAN Network?

Asus rt-be96u wi-fi 7 flashrouter.

• Perfect for Max Wi-Fi (30+ Simultaneous Connections)
• Blazing-fast Wi-Fi 7 (Wireless-BE)

Asus RT-BE98U PRO Wi-Fi 7 FlashRouter

Asus RT-AX88U PRO Merlin FlashRouter

• Perfect for Max Wi-Fi Coverage
• Recommended for 15+ Devices

You can also find your perfect router solution using our personalized router finder!

What Are The Potential Disadvantages of Using VLANs?

While VLANs offer numerous advantages, they also have potential disadvantages that should be considered when implementing them in a network.

Complexity and Configuration

VLANs can introduce complexity, especially in larger networks or those with intricate VLAN setups. Configuring and managing VLANs require careful planning and coordination among network administrators.

Misconfigurations or inconsistencies in VLAN configurations can result in connectivity issues, security vulnerabilities, or unintended traffic leakage.

Spanning and Scalability

In some cases, spanning VLANs across multiple switches or large network infrastructures can be challenging. Ensuring consistent VLAN configurations and maintaining proper VLAN trunking protocols can become more complex as the network scales.

As the number of VLANs and devices increases, VLAN management and coordination can become more time-consuming and prone to human error.

Increased Network Overhead

VLANs introduce additional overhead due to VLAN tagging. The VLAN tags added to Ethernet frames increase the frame size, which can slightly impact overall network throughput and latency. In certain scenarios with high VLAN density or extensive use of VLAN trunking, the increased overhead from VLAN tagging can become more noticeable.

Security Risks

Misconfigured VLANs can lead to security vulnerabilities. If VLANs are not properly configured or access controls are not adequately implemented, there is a risk of unauthorized access, also known as VLAN hopping.

VLANs can provide a false sense of security if other essential security measures, such as firewall rules, access controls, and encryption, are not properly implemented across the network.

Limited Broadcast Domain Isolation

While VLANs effectively isolate broadcast traffic within a VLAN, they do not provide complete isolation of broadcast domains. Broadcast traffic generated within a VLAN can still impact network performance and potentially consume excessive resources.

Inter-VLAN Communication Challenges

Enabling communication between different VLANs requires additional configuration and devices, such as routers or Layer 3 switches. Configuring and managing inter-VLAN routing can be complex, especially in larger networks.

Implementing VLANs may require investment in network switches with VLAN support, especially if existing infrastructure lacks the necessary capabilities. This cost should be considered when planning VLAN deployments.

While these potential disadvantages exist, they can be mitigated through proper planning, configuration, and ongoing management. It is important to thoroughly assess network requirements, consider the scalability of VLAN implementations, and regularly review and update VLAN configurations to maintain a secure and efficient network environment.

Can You Configure A VLAN Connection On An Asus FlashRouter?

Yes! Select Asus router support VLAN connections. Check out our post on setting VLAN router to learn how to do it!

Can You Configure A VLAN Connection On An ExpressVPN FlashRouter?

At the moment, no. ExpressVPN-configured FlashRouters do not support VLAN Connection.

Can You Configure A VLAN Connection On A DD-WRT FlashRouter?

Indeed! We even have a specific post about setting up VLAN on your DD-WRT network!

Can You Configure A VLAN Connection On A Privacy Hero?

At the moment, no. The Privacy Hert does not support VLAN tagging.

Have any questions about VLANs? Feel free to reach out!

What Is The Best Way To Stream Premier League Games in 2023-24?

VPN Protocols: The Differences Between PPTP, L2TP, OpenVPN, IKEv2, Lightway, and WireGuard (Networking FAQ)

Most Popular VPN Routers

Best vpn routers 2024.

Looking for the most secure router for VPN service options? Look no further.

View 2024’s best Routers ⇥

BEST VPNs OF 2024

“With FlashRouters, you’re getting the best of both worlds, the freedom of open source with the support of stock.” — TechJunkie

“The FlashRouters team has expanded the usefulness of their devices even further with the addition of a new VPN Privacy App.” — VPNFAN

“The FlashRouters DD-WRT app is by far the easiest way to use a VPN on a router.” — ProPrivacy

“As far as we’re concerned, FlashRouters’ Linksys VPN Router is a must-have for anyone looking to keep their entire household’s data private and secure.” — Android Authority

• Skip to content
• Skip to search
• Skip to footer

VLAN Best Practices and Security Tips for Cisco Business Routers

Available languages, download options.

• PDF (616.6 KB) View with Adobe Reader on a variety of devices
• ePub (614.3 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
• Mobi (Kindle) (418.8 KB) View on Kindle device or Kindle app on multiple devices

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

The objective of this article is to explain the concepts and steps for performing best practices and security tips when configuring VLANs on Cisco Business equipment.

Table of Contents

Some quick vocabulary for the newbies, port assignment basics, configuring access ports, configuring trunk ports, frequently asked questions, best practice #3 - create a “dead end” vlan for unused ports, best practice #4 - ip phones on a vlan, best practice #5 - inter-vlan routing, introduction.

Want to make your business network more efficient while keeping it secure? One of the ways to do this is to correctly set up Virtual Local Area Networks (VLANs).

A VLAN is a logical group of workstations, servers, and network devices that appear to be on the same Local Area Network (LAN) despite their geographical distribution. In a nutshell, hardware on the same VLANs enable traffic between equipment to be separate and more secure.

For example, you might have an Engineering, Marketing, and Accounting department. Each department has workers on different floors of the building, but they still need to access and communicate information within their own department. It is essential for sharing documents and web services.

VLANs need to be set up with best practices in order to keep your network secure. Make the following smart choices when setting up VLANs. You won’t regret it!

Applicable Devices

You might be interested to know that the RV160 or RV260 series routers can carry up to 16 VLANs, while the RV34x series routers can carry up to 32 VLANs. The RV320 supports up to 7 VLANs. If you would like to know how many VLANs your router can carry, check the Data Sheet for your specific model on the Cisco Website . Select Support and enter your model number or simply do a search for the Data Sheet and model number.

Access Port: An access port carries traffic for only one VLAN. Access ports are often referred to as an untagged port, since there is only one VLAN on that port and traffic can be passed without tags.

Trunk Port: A port on a switch that carries traffic for more than one VLAN. Trunk ports are often referred to as tagged ports since there is more than one VLAN on that port and traffic for all but one VLAN need to be tagged.

Native VLAN: The one VLAN in a trunk port that doesn’t receive a tag. Any traffic that doesn’t have a tag will be sent to the native VLAN. That is why both sides of a trunk need to make sure they have the same native VLAN or traffic will not go to the correct place.

Best Practice #1 - VLAN Port Assignment

• Each LAN port can be set to be an access port or a trunk port.
• VLANs that you don’t want on the trunk should be excluded.
• A VLAN can be placed in more than one port.
• One VLAN assigned on a LAN port
• The VLAN that is assigned this port should be labeled Untagged
• All other VLANs should be labeled Excluded for that port

To set these correctly, navigate to LAN > VLAN Settings . Select the VLAN IDs and click on edit icon. Select the drop-down menu for any of the LAN interfaces for VLANs listed to edit the VLAN tagging. Click Apply .

Check out this example of each VLAN assigned its own LAN port:

This Graphical User interface (GUI) image was taken from an RV260W router. Your options may appear slightly different. For example, on the RV34x series, the labels Untagged , Excluded , and Tagged are abbreviated to just the first letter. The process is still the same.

• Two or more VLANs share one LAN port
• One of the VLANs can be labeled Untagged .
• The rest of the VLANs that are part of the trunk port should be labeled Tagged .
• The VLANs that are not part of the trunk port should be labeled Excluded for that port.

Take a look at this example of various VLANs that are all on trunk ports. To set these correctly, select the VLAN IDs that need to be edited. Click on the edit icon. Change them based on your needs, following the above recommendations. By the way, did you notice that VLAN 1 is excluded from every LAN port? This will be explained in the section, Best Practice for Default VLAN 1 .

Why is a VLAN left untagged when it is the only VLAN on that port?

Since there is just one VLAN assigned on an access port, outgoing traffic from the port is sent without any VLAN tag on the frames. When the frame reaches the switch port (incoming traffic), the switch will add the VLAN tag. 

Why are VLANs tagged when they are part of a trunk?

This is done so that traffic that passes doesn't get sent to the wrong VLAN on that port. The VLANs are sharing that port. Similar to apartment numbers added to an address to make sure the mail goes to the correct apartment within that shared building.

Why is traffic left untagged when it is part of the native VLAN? 

A Native VLAN is a way of carrying untagged traffic across one or more switches. The switch assigns any untagged frame that arrives on a tagged port to the native VLAN. If a frame on the native VLAN leaves a trunk (tagged) port, the switch strips the VLAN tag out.

Why are VLANs excluded when they are not on that port?

This keeps the traffic on that trunk only for the VLANs the user specifically wants. It is considered a best practice.

Best Practice #2 - Default VLAN 1 and Unused Ports

All ports need to be assigned to one or more than one VLAN, including the native VLAN. Cisco Business routers come with VLAN 1 assigned to all ports by default.

A management VLAN is the VLAN that is used to remotely manage, control, and monitor the devices in you network using Telnet, SSH, SNMP, syslog, or Cisco’s FindIT. By default, this is also VLAN 1. A good security practice is to separate management and user data traffic. Therefore, it is recommended that when you configure VLANs, you use VLAN 1 for management purposes only.

To communicate remotely with a Cisco switch for management purposes, the switch must have an IP address configured on the management VLAN. Users in other VLANs would not be able to establish remote access sessions to the switch unless they were routed into the management VLAN, providing an additional layer of security. Also, the switch should be configured to accept only encrypted SSH sessions for remote management. To read some discussions on this topic, click on the following links on the Cisco Community website:

• Management VLAN Discussion #1
• Management VLAN Discussion #2

Why is default VLAN 1 not recommended to virtually segment your network?

The main reason is that hostile actors know VLAN 1 is the default and often used. They can use it to gain access to other VLANs via “VLAN hopping”. As the name implies, the hostile actor may send spoofed traffic posing as VLAN 1 which enables access to trunk ports and thereby other VLANs.

Can I leave an unused port assigned to default VLAN 1 ?

To keep your network secure, you really shouldn’t. It is recommended to configure all those ports to be associated with VLANs other than default VLAN 1.

I don’t want to assign any of my production VLANs to an unused port. What can I do?

It is recommended that you create a “dead-end” VLAN following the instructions in the next section of this article.

Step 1. Navigate to LAN > VLAN Settings .

Choose any random number for the VLAN. Be sure that this VLAN does not have DHCP, Inter-VLAN routing, or device management enabled. This keeps the other VLANs more secure. Put any unused LAN port on this VLAN. In the example below, VLAN 777 was created and assigned to LAN5 . This should be done with all unused LAN ports.

Notice that the other VLANs are excluded from this LAN port.

Step 2. Click on the Apply button to save the configuration changes you have made.

Voice traffic has stringent Quality of Service (QoS) requirements. If your company has computers and IP phones on the same VLAN, each tries to use the available bandwidth without considering the other device. To avoid this conflict, it is good practice to use separate VLANs for IP telephony voice traffic and data traffic. To learn more about this configuration, check out the following articles and videos:

• Cisco Tech Talk: Voice VLAN Setup and Configuration Using Cisco Small Business Products (video)
• Configuring Auto Voice VLAN with QoS on the SG500 Series Switch
• Voice VLAN Configuration on the 200/300 Series Managed Switches
• Cisco Tech Talk: Configuring Auto-Voice VLAN on SG350 and SG550 Series Switches (video)

VLANs are set up so that traffic can be separate, but sometimes you need VLANs to be able to route between each other. This is inter-VLAN routing and is typically not recommended. If this is a need for your company, set it up as securely as possible. When using inter-VLAN routing, make sure to restrict traffic using Access Control Lists (ACLs), to servers that contain confidential information.

ACLs perform packet filtering to control the movement of packets through a network. Packet filtering provides security by limiting the access of traffic into a network, restricting user and device access to a network, and preventing traffic from leaving a network. IP access lists reduce the chance of spoofing and denial-of-service attacks, and allow dynamic, temporary user-access through a firewall.

• Inter-VLAN Routing on an RV34x Router with Targeted ACL Restrictions
• Cisco Tech Talk: Configuring Inter-VLAN Routing on SG250 Series Switches (video)
• Cisco Tech Talk: Inter-VLAN Configuration on RV180 and RV180W (video)
• RV34x Inter-VLAN Access Limitation (CSCvo92300 bug fix)

There you have it, now you know some best practices for setting up secure VLANs. Keep these tips in mind when you configure VLANs for your network. Listed below are some articles that have step by step instructions. These will keep you moving toward a productive, efficient network that is just right for your business.

• Configuring VLAN Settings on the RV160 and RV260
• Configure Virtual Local Area Network (VLAN) Settings on an RV34x Series Router
• Configure VLAN Membership on RV320 and RV325 VPN Routers
• Configure Virtual Local Area Network (VLAN) Membership on an RV Series Router
• Configure VLAN Interface IPv4 Address on an Sx350 or SG350X Switch through the CLI

Revision History

Was this Document Helpful?

Contact Cisco

• (Requires a Cisco Service Contract )

• Support Forum
• Customer Service
• Internal Article Nominations
• FortiClient
• FortiAnalyzer
• FortiAuthenticator
• FortiBridge
• FortiCarrier
• FortiConnect
• FortiConverter
• FortiDeceptor
• FortiDevSec
• FortiDirector
• FortiExtender
• FortiGate Cloud
• FortiHypervisor
• FortiInsight
• FortiIsolator
• FortiManager
• FortiMonitor
• FortiNDR (on-premise)
• FortiNDRCloud
• FortiPortal
• FortiRecorder
• FortiSandbox
• FortiSwitch
• FortiTester
• FortiWebCloud
• Wireless Controller
• RMA Information and Announcements
• FortiCloud Products
• 4D Documents
• Engage Services
• The EPSP Platform
• The ETSP Platform
• Discussions & Onboarding Information
• Technical Learning
• Getting Started Resources
• Discussions
• Knowledge Base
• Idea Exchange
• Announcements
• Live security workshops
• Fortinet Community
• Technical Tip: Understanding the Difference Betwee...
• Subscribe to RSS Feed
• Mark as New
• Mark as Read
• Printer Friendly Page
• Report Inappropriate Content

Technical Tip: Understanding the Difference Between VLAN Protocols 802.1Q and 802.1AD (QinQ)

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

• Threat Research
• FortiGuard Labs
• Threat Briefs
• Security Fabric
• Certifications
• Industry Awards
• Social Responsibility
• News Releases
• News Articles

Copyright 2024 Fortinet, Inc. All Rights Reserved.

• Terms of Service
• Privacy Policy
• Cookie Settings

CCNA 200-301 v1.1

• CCNA 200-301 Labs
• CCNP 350-401 ENCOR
• CCNP 350-401 ENCOR Labs
• CCNP 300-410 ENARSI
• CCIE Enterprise Infrastructure
• Cisco Packet Tracer Lab Course
• NRS II IRP Course
• NRS II MPLS Course
• NRS II Service Architecture
• Nokia Configuration Course
• Nokia SRC Program
• JNCIA Junos
• HCIA (HCNA)
• HCIA Configuration Course
• What is Huawei R&S Certification?
• Huawei ICT Certifications
• Python Course
• IPv6 Course
• IP Multicast Course
• NRS I Configuration Course
• Cisco Packet Tracer How To Guide
• Online Courses
• Udemy Courses
• CCNA Flashcard Questions
• Protocol Cheat Sheets
• Subnetting Cheat Sheet
• Linux Cheat Sheet
• Python Cheat Sheet
• CLI Commands Cheat Sheets
• Miscellaneous Cheat Sheets
• Cisco Packet Tracer Labs
• Cisco GNS3 Labs
• Huawei eNSP Labs
• Nokia GNS3 Labs
• Short Config Videos
• Network Tools
• IPCisco on Social Media
• Network Engineer Interview Questions
• Personality Interview Training
• Sign In/Up | Members
• Lost password
• Sign In/Sign Up
• ENROLL HERE

• VLANs (Virtual Local Area Networks)

Table of Contents

What is a VLAN?

In this lesson, we will talk about one of the key lessons in networking, especially in switching. We will explain VLAN definition and we will answer the question what is a VLAN?  In the following lessons, we will learn the details of Virtual LANs and we will practice with VLAN Configuration Examples . You can also check the definion on Wiki .

VLAN Definition

If we do a simple VLAN definition , Virtual Local Area Networks  are the Logical Virtual Networks that groups network devices in it. In another definition, they are a layer 2 technology with which you can seperate big networks into smaller networks. This can be done for reducing broadcast traffic, network performance improvement, security purpose or to seperate different departments each other and for network flexibility.

In a company, different Virtual LANs can be used for different departments. Think about that these departments are IT, HR and Finance. In a single company LAN, with Virtual LANs , each of these department networks become separate networks.

Virtual LANs are Logical networks. In the first place they are defined on the switches and then the ports are assigned to them. By doing this, VLANs members ports appear.

VLAN (Virtual Local Area Network) We will learn the key points of Virtual LANs , but firstly, let’s check two important domain terms used in networks.

1.Virtual LAN Example

2.Virtual LAN Example

Collision and Broadcast Domains

Generally fistly two terms are learned by new engineers about computer networks. These terms are Collision Domain and Broadcast Domain . It can be good to define these terms again. Because in the VLAN lesson, these terms are ciritically important.

Collision domain : A single physical line that a colision can occur. Example: Hubs have one collision domain and only one connected node can make a transfer at any time. Switches collision domain number is like their port number by default.

Broadcast domain : A logical division of networks that all nodes can reach eachother at data link layer(layer 2). Example: Switches are one broadcast domain. Because without any restriction, if one node sends something from one port, all other ports receive it. Routers’ each port is one broadcast domain.

VLANs What is it?

Let’s return our main lesson again. Virtual Local Area Networks help you to build new child broadcast domains in one switch or in one broadcast domain. After Configuring VLANs , each Virtual LAN become a single broadcast domain and without routing, there is no communication between Virtual LANs.

There are also Collision Domains in the Virtual LANs again. Each VLAN has Collision Domain as the number of their assigned ports .

Here, Virtual LANs can be thinked like small switches in the main switch.

On Cisco switches, all the ports are the member of VLAN 1 by default . So if no VLAN Configuration done, all the ports are in the same Virtual LAN , Virtual LAN 1. And they are in the same Broadcast Domain as mentioned above.

What is Native VLAN?

By default Native VLAN is 1 . By default , all untagged frames are member of it. This Native VLAN can be changed by a trunk port. For example, think about that, one trunk’s NativeVLAN is 5. Here, all the untagged and 5 tagged frames are belong to that Virtual LAN 5. Here the important point is, each end of the connection must be configured with the same configuration.

ISL trunks does not support the NativeVLAN and untagged frames. But dot1.q trunks supports.

On the other hand, Native VLAN is a security risk . To avoid this risk, NativeVLAN can be assigned to an unused port or disabled port. You can also make the trunk ports to tag the Native Virtual LAN .

In this lesson, we have talked about Virtual LAN definition, what is a VLAN simply and Native VLAN. Beside, we have remembered Collision and Broadcast Domains. In the next lessons, we will learn more on Virtual LANs and we will learn How to Configure VLANs .

Cisco VLAN Example

After learning what is a VLAN meaning and some of its details, now, it is time to configure an example for vlanes . For our cisco vlan example , we will use the below topology. Here, we will use three switches which have three PCs connected to them. We will create VLAN 10 and 20.

To configure vlanes, we will follow the below steps one by one:

• Setting PC ip addresses
• Creating vlanes
• Setting Access ports
• Assigning vlans to access ports
• Setting Trunk ports
• Allow VLANs on trunks
• Verification

Setting IP Addresses

The first configuration step is about ip addressing. We will configure ip addresses of the PCs as it is given on the topology. We will set only ip address and subnet mask.

Here, we will use 10.10.10.0/24 prefix for VLAN 10 and 20.20.20.0/2 4 for VLAN 20 . We will give the below ip addresses to the PCs.

PC1: 10.10.10.1

PC2: 10.10.10.2

PC3 10.10.10.3

PC4: 10.10.10.4

PC5: 10.10.10.5

PC6: 10.10.10.6

PC7: 10.10.10.7

PC8: 10.10.10.8

PC9: 10.10.10.9

We will use 255.255.255.0 subnet mask.

Creating VLANes

The second thing we will do is creating vlanes . Normally, we do not need to use this step, because during access port vlan assigning, vlanes are automatically created. But here, we are writing these steps to show you how to create them manually.

Switch A# configure terminal Switch A (config)# vlan 10 Switch A (config-vlan)# vlan 20

Switch B# configure terminal Switch B (config)# vlan 10 Switch B (config-vlan)# vlan 20

Switch C# configure terminal Switch C (config)# vlan 10 Switch C (config-vlan)# vlan 20

Setting Access Ports and Assigning VLANs

In the third step, we will set access ports and assign created vlans to these access ports. To do this, we will use the below commands on each switch.

Switch A (config)# interface FastEthernet0/2 Switch A (config-if)# switchport mode access Switch A (config-if)# switchport access vlan 10 Switch A (config)# interface FastEthernet0/3 Switch A (config-if)# switchport mode access Switch A (config-if)# switchport access vlan 10 Switch A (config)# interface FastEthernet0/4 Switch A (config-if)# switchport mode access Switch A (config-if)# switchport access vlan 20

Switch B (config)# interface FastEthernet0/2 Switch B (config-if)# switchport mode access Switch B (config-if)# switchport access vlan 20 Switch B (config)# interface FastEthernet0/3 Switch B (config-if)# switchport mode access Switch B (config-if)# switchport access vlan 10 Switch B (config)# interface FastEthernet0/4 Switch B (config-if)# switchport mode access Switch B (config-if)# switchport access vlan 10

Switch C (config)# interface FastEthernet0/2 Switch c (config-if)# switchport mode access Switch C (config-if)# switchport access vlan 20 Switch C (config)# interface FastEthernet0/3 Switch c (config-if)# switchport mode access Switch C (config-if)# switchport access vlan 10 Switch C (config)# interface FastEthernet0/4 Switch c (config-if)# switchport mode access Switch C (config-if)# switchport access vlan 10

Setting Trunk Ports and Allowing VLANs

After setting access ports, now it is time to configure trunk ports. To do this, we will use the below commands under trunk interfaces. On Switch C, there are two trunk interfaces, so we will configure two interface as trunks.

Switch A (config)# interface FastEthernet0/1 Switch A (config-if)# switchport mode trunk Switch A (config-if)# switchport nonegotiate Switch A (config-if)# switchport trunk allowed vlan 10,20

Switch B (config)# interface FastEthernet0/1 Switch B (config-if)# switchport mode trunk Switch B (config-if)# switchport nonegotiate Switch B (config-if)# switchport trunk allowed vlan 10,20

Switch C (config)# interface FastEthernet0/1 Switch C (config-if)# switchport mode trunk Switch C (config-if)# switchport nonegotiate Switch C (config-if)# switchport trunk allowed vlan 10,20 Switch C (config-if)# interface FastEthernet0/2 Switch C (config-if)# switchport mode trunk Switch C (config-if)# switchport nonegotiate Switch C (config-if)# switchport trunk allowed vlan 10,20

VLAN Verification

At last step, we will verify our configuration. To do this, we will use “ show vlan brief ” and “ show interface trunk ” commands for the verification.

Switch A# show vlan brief VLAN Name                             Status    Ports —- ——————————– ——— ——————————- 1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 10   VLAN0010                         active    Fa0/2, Fa0/3 20   VLAN0020                         active    Fa0/4 1002 fddi-default                     active 1003 token-ring-default               active 1004 fddinet-default                  active 1005 trnet-default                    active

Switch A# show interfaces trunk Port        Mode         Encapsulation  Status        Native vlan Fa0/1       on           802.1q         trunking      1 Port        Vlans allowed on trunk Fa0/1       10,20 Port        Vlans allowed and active in management domain Fa0/1       10,20 Port        Vlans in spanning tree forwarding state and not pruned Fa0/1       10,20

Switch B# show vlan brief VLAN Name                             Status    Ports —- ——————————– ——— ——————————- 1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 10   VLAN0010                         active    Fa0/3, Fa0/4 20   VLAN0020                         active    Fa0/2 1002 fddi-default                     active 1003 token-ring-default               active 1004 fddinet-default                  active 1005 trnet-default                    active

Switch B# show interfaces trunk Port        Mode         Encapsulation  Status        Native vlan Fa0/1       on           802.1q         trunking      1 Port        Vlans allowed on trunk Fa0/1       10,20 Port        Vlans allowed and active in management domain Fa0/1       10,20 Port        Vlans in spanning tree forwarding state and not pruned Fa0/1       10,20

Switch C# show vlan brief VLAN Name                             Status    Ports —- ——————————– ——— ——————————- 1    default                          active    Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gig0/1 Gig0/2 10   VLAN0010                         active    Fa0/3, Fa0/4 20   VLAN0020                         active    Fa0/5 1002 fddi-default                     active 1003 token-ring-default               active 1004 fddinet-default                  active 1005 trnet-default                    active

Switch C# show interfaces trunk Port        Mode         Encapsulation  Status        Native vlan Fa0/1       on           802.1q         trunking      1 Fa0/2       on           802.1q         trunking      1 Port        Vlans allowed on trunk Fa0/1       10,20 Fa0/2       10,20 Port        Vlans allowed and active in management domain Fa0/1       10,20 Fa0/2       10,20 Port        Vlans in spanning tree forwarding state and not pruned Fa0/1       10,20 Fa0/2       10,20

Beside we will ping PCs in the same VLAN but connected to different VLANs. For example, we will ping from PC1 to PC5 or PC3 to PC4.

Firstly, let’s ping from PC 1 to PC 5 and PC8 . These PCs are in VLAN 10 .

C:\> ping 10.10.10.5 Pinging 10.10.10.5 with 32 bytes of data: Reply from 10.10.10.5: bytes=32 time<1ms TTL=128 Reply from 10.10.10.5: bytes=32 time=1ms TTL=128 Reply from 10.10.10.5: bytes=32 time<1ms TTL=128 Reply from 10.10.10.5: bytes=32 time<1ms TTL=128 Ping statistics for 10.10.10.5: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\> ping 10.10.10.8 Pinging 10.10.10.8 with 32 bytes of data: Reply from 10.10.10.8: bytes=32 time<1ms TTL=128 Reply from 10.10.10.8: bytes=32 time=1ms TTL=128 Reply from 10.10.10.8: bytes=32 time<1ms TTL=128 Reply from 10.10.10.8: bytes=32 time<1ms TTL=128 Ping statistics for 10.10.10.8: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms  

Then, let’s ping from PC3 to PC4 and PC9 . These PCs are in VLAN 20 .

C:\> ping 20.20.20.4 Pinging 20.20.20.4 with 32 bytes of data: Reply from 20.20.20.4: bytes=32 time=1ms TTL=128 Reply from 20.20.20.4: bytes=32 time<1ms TTL=128 Reply from 20.20.20.4: bytes=32 time<1ms TTL=128 Reply from 20.20.20.4: bytes=32 time=1ms TTL=128 Ping statistics for 20.20.20.4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\> ping 20.20.20.9 Pinging 20.20.20.9 with 32 bytes of data: Reply from 20.20.20.9: bytes=32 time<1ms TTL=128 Reply from 20.20.20.9: bytes=32 time<1ms TTL=128 Reply from 20.20.20.9: bytes=32 time=2ms TTL=128 Reply from 20.20.20.9: bytes=32 time=1ms TTL=128 Ping statistics for 20.20.20.9: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 2ms, Average = 0ms

2 Responses to “VLANs (Virtual Local Area Networks)”

Good for learning

Thank you Masanja:) good luck!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Network Fundamentals

• Collision Domain vs Broadcast Domain
• Coaxial Cable Details
• Types of Networks
• Top Internet Access Technologies
• WAN Topology Types
• Network Topology Architectures
• Power Over Ethernet (PoE)
• Ethernet Collisions and Troubleshooting
• Cisco NGFW and Cisco NGIPS
• Networking Connectors
• Ping Command
• Basic Cisco Router Configuration on Packet Tracer
• ICMP (Internet Control Message Protocol)
• Address Resolution Protocol (ARP)
• Network Cabling
• Network Devices
• TCP/IP Model
• OSI Referance Model

IPv4 Addressing

• Verify IP Parameters for Client OS
• Wildcard Mask
• VLSM Subnetting
• IPv4 vs IPv6 Comparison
• Cisco IP Address Configuration
• APIPA Address
• Private IP Address Ranges
• Subnetting Examples
• IP Addressing (IPv4)
• IP Subnetting and Subnetting Examples

IPv6 Addressing

• IPv6 Unique Local Address
• IPv6 Global Unicast Address

TCP and UDP

• TCP Header : Sequence & Acknowledgement Number
• TCP Handshake
• TCP versus UDP
• UDP (User Datagram Protocol)
• TCP (Transmission Control Protocol)
• TCP Header : TCP Options
• TCP Header : TCP Window Size, Checksum &amp; Urgent Pointer
• TCP Header : TCP Flags
• Voice VLAN Configuration
• Packet Tracer VLAN Example 2
• How to Configure Cisco VLANs
• VTP Configuration with Packet Tracer
• VTP (VLAN Trunking Protocol)
• DTP and VLAN Frame Tagging protocols ISL, dot1.q
• Cisco Packet Tracer VLAN Configuration Example
• VLAN Port Assignment and VLAN Port Types

Switching and LANs

• Ethernet Basics
• Layer 2 vs Layer 3 Switch
• Cisco Switch Configuration on Cisco Packet Tracer
• MAC Address Lookup
• What is a mac address
• Local Area Networks
• Network Topologies
• Hubs, Switches and Routers

Spanning Tree Protocol

• Loop Guard, Uplink Fast, Backbone Fast and UDLD
• BPDU (Bridge Data Unit Protocol)
• STP Loop Guard
• STP BPDU Filter
• STP BPDU Guard
• STP Root Guard
• Portfast, Root Guard, BPDU Filter and BPDU Guard
• PVST+ and Rapid PVST+
• STP (Spanning Tree Protocol) Example on Packet Tracer
• RSTP Configuration on Packet Tracer
• STP Portfast Configuration with Packet Tracer
• Spanning Tree Protocol Operation
• Rapid Spanning Tree Protocol (RSTP)
• Spanning Tree Protocol (STP)

Neighbor Discovery

• LLDP Configuration on Cisco IOS
• Neighbour Discovery Protocols
• CDP Configuration with Packet Tracer

EtherChannels

• PAgP Configuration on Cisco Devices
• LACP Configuration on Cisco Devices
• Link Aggregation Control Protocol (LACP)

Routing Fundamentals

• Route Summarization
• Routing Path Determination
• Routing Table
• Static Routes
• IPv4 Floating Static Routes
• Inter VLAN Routing Configuration on Packet Tracer
• Switch Virtual Interface Configuration on Packet Tracer
• Switch Virtual Interfaces
• Inter VLAN Routing with Router on Stick
• IP and Layer 3 Overview
• Static Route Configuration on Cisco Routers
• Dynamic Routing Protocols
• OSPF Cost and SPF Algorithm
• OSPFv3 Configuration Example on Cisco IOS
• OSPFv3 (Open Shortest Path First Version 3)
• Cisco Single Area OSPF Configuration
• Other OSPF Key Points
• OSPF Network Types
• OSPF Area Types
• OSPF LSA Types
• OSPF Packet Types
• OSPF Adjacency
• OSPF(Open Shortest Path First) Overview

WAN (Wide Area Networks)

• MLPPP Configuration on Cisco Packet Tracer
• What is MLPPP?
• Metro Ethernet Technology
• WAN and WAN Technologies

DHCP and DNS

• DNS Configuration on Cisco Routers
• Domain Name System Overview
• Router DHCP Configuration with Packet Tracer
• DHCP IP Allocation Operation
• DHCP (Dynamic Host Configuration Protocol)
• NAT (Network Address Translation)
• PAT Configuration with Packet Tracer
• Dynamic NAT Configuration with Packet Tracer
• Static NAT Configuration with Packet Tracer

First Hop Redundancy

• HSRP Configuration on Cisco IOS
• HSRP (Hot Standby Router Protocol)
• First Hop Redundancy Protocols (FHRPs)

Network Management

• Syslog Overview
• Configuration Register
• TFTP, FTP, SFTP and SCP
• SSH Configuration on Packet Tracer
• Syslog Configuration Cisco
• Cisco NTP Configuration
• NTP (Network Time Protocol)
• SNMP Overview
• SNMP Configuration On Cisco IOS
• Cisco Router Password Recovery
• IPv6 Floating Static Routes
• IPv6 Static and Default Route Configuration
• Stateless Address Auto Configuration
• IPv6 NDP (Neighbour Discovery Protocol)
• IPv6 Configuration on Cisco Packet Tracer
• What does IPv6 bring?
• Subnetting in IPv6
• IPv6 Address Types
• IPv4 and IPv6 Headers
• IPv6 and IPv6 Addresses

Quality of Service

• Network Traffic Types
• Policing and Shaping in QoS
• Classification and Marking in QoS
• Quality of Service Overview
• Radius Configuration for Wireless Users
• Cisco RADIUS Server Configuration on Packet Tracer
• TACACS+ Overview
• RADIUS Overview
• AAA Protocols : RADIUS and TACACS+
• Authentication, Authorization, Accounting (AAA)
• WLAN Frequency Bands
• Other Wireless Network Extention Types
• Wireless Principles
• WLAN Components
• Wireless Network Design Models
• WLC Management Access Connections
• Wireless Access Point Modes
• Wireless Security Protocols
• WLAN Configuration on Packet Tracer

Security Fundamentals

• DHCP Snooping Configuration on Packet Tracer
• Cisco Banner Configuration on Packet Tracer
• What is DHCP Snooping?
• Access Control Lists
• Multifactor Authentication (MFA)
• Dynamic ARP Inspection
• Cyber Attacks, Network Attacks, Threats and Mitigation
• 802.1x (Port Based Network Access Control)
• Switch Port Security Configuration on Cisco Packet Tracer
• Switch Port Security
• Extended Access List Configuration With Packet Tracer
• Standard Access List Configuration With Packet Tracer
• Basic Cisco Router Security Configuration

Automation and Programmability

• Ansible vs Puppet vs Chef
• Generative AI vs Predictive AI
• Chef Overview
• Puppet Overview
• Ansible Overview
• Network Automation Tools
• Interpret JSON Encoded Data
• Cisco DNA Center
• Cisco SD-Access
• Data Serialization Languages: JSON, YAML, XML
• Traditional Network Management versus Cisco DNA Center
• Cisco DNA and Intent-Based Networking (IBN)
• How Network Automation Impacts Network Management

SDN (Software Defined Networking)

• What is SDN ?
• Traditional Network Drawbacks Versus SDN
• What Will SDN Bring?
• SDN Architecture Components
• SDN Terminology
• Virtualization
• Virtual Network Structure

Latest Lessons

• Layer 2 vs Layer 3 Switch Part of: CCNA 200-301 v1.1
• BPDU (Bridge Data Unit Protocol) Part of: CCNA 200-301 v1.1
• STP Loop Guard Part of: CCNA 200-301 v1.1
• STP BPDU Filter Part of: CCNA 200-301 v1.1
• STP BPDU Guard Part of: CCNA 200-301 v1.1
• STP Root Guard Part of: CCNA 200-301 v1.1
• Generative AI vs Predictive AI Part of: CCNA 200-301 v1.1
• IPv6 Global Unicast Address Part of: CCNA 200-301 v1.1
• IPv6 Unique Local Address Part of: CCNA 200-301 v1.1
• Wildcard Mask Part of: CCNA 200-301 v1.1
• More Lessons

Latest Blog Posts

WHAT YOU WILL FIND?

• 250.000+ Students All Over The World
• 8.000+ Questions & Answers
• 100+ Lab Files & Cheat Sheets
• 30+ IT/Network Courses
• A Real Desire To Help You
• Daily Social Media Shares
• %100 Satisfaction
• CISCO Courses
• NOKIA Courses
• HUAWEI Courses
• JUNIPER Courses
• PYTHON Course
• KEY Courses
• VIDEO Courses
• UDEMY Courses
• Cheat Sheets
• Configuration Files
• Interview Questions
• IPCisco On Social Media
• Pärnu mnt. 139c – 14, 11317, Tallinn, Estonia
• [email protected]

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

VLAN assignment based on mac-address or RADIUS attribute

I'd like to know how to assign someone's client device to a different VLAN based on MAC address of that device.What kind of hardware/software would make this solution possible (if possible at all)? Would it be possbible to achieve the same using RADIUS authorization credentials instead of MAC addresses?

The reason why I'm asking this is because I'd like to migrate my company's internal network structure to something divided into separate subnets, isolating specific departments from each other, and providing separated, intranet isolated, guest accessible internet access. Would the method above be a right solution for this?

• mac-address

• 1 Have you considered 802.1x ? What kind of switches do you have? –  Mike Pennington Commented Oct 30, 2013 at 7:07
• 1 Yes, I have. Our network is built around one server acting as a gateway (running virtualized IPFire, but we're making progress towards replacing it with a Netasq UTM 250) and everything behind that is (unluckily) simple network hardware like TP-Link wireless APs and some cheap, dumb switches from Dlink. What I'd like to end up with is a solution where a client computer tries to connect to the network, gets authenticated via 802.1x, RADIUS, or plain MAC and is then assigned to a VLAN of my choice. So that it can be either separated from, or provided with access to our intranet. Sound doable? –  pietrek Commented Oct 30, 2013 at 7:42
• 1 Specific product recommendations are going to be off-topic. Is it okay if we give you the most secure way of implementing the service? –  Mike Pennington Commented Oct 30, 2013 at 12:37
• Sure. I'm just looking for suggestions, or examples of working solutions. –  pietrek Commented Oct 31, 2013 at 8:23
• Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. –  Ron Maupin ♦ Commented Aug 8, 2017 at 15:28

I am on the 1st phase of implementing a similar solution. 802.1x it's been for a while now and although it's grown up and globally supported it's vulnerable when meeting local OS network stack. I have deployed it several times on small and medium networks and usually it works for 90% of the workstations, maybe 95%. There is always an old Windows install that simply turns off your day.

Based on that I am working with FreeRadius . It requires broader knowledge except basic networking, but it doesn't interact in any way with the workstations, it's transparent for the user.

You can also try FreeNAC which is similar still it's been discontinued for some time now.

Your Answer

Sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged vlan mac-address radius or ask your own question .

• The Overflow Blog
• Where does Postgres fit in a world of GenAI and vector databases?
• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Why are AAVs not a replacement for through-roof vent pipe?
• Are there any theoretical reasons why we cannot measure the position of a particle with zero error?
• How do I alter a table by using AFTER in hook update?
• How are notes named in Japan?
• Philosophies about how childhood beliefs influence / shape adult thoughts
• What' the intuition behind Shankar's postulate II?
• Is it possible for a fuse to blow at extremely low temperatures?
• What is the significance of bringing the door to Nippur in the Epic of Gilgamesh?
• Submitting a paper as a nonacademic practitioner in a field
• How much missing data is too much (part 2)? statistical power, effective sample size
• Why does my PC take a long time to start, then when it's at the login screen it jumps to the desktop instantly?
• How to attach a 4x8 plywood to a air hockey table
• I'm trying to remember a novel about an asteroid threatening to destroy the earth. I remember seeing the phrase "SHIVA IS COMING" on the cover
• Is it advisable to contact faculty members at U.S. universities prior to submitting a PhD application?
• Order of connection using digital multimeter wall outlet
• Can light become a satellite of a black hole?
• What issues are there with my perspective on truth?
• ST_Curvetoline creates invalid geometries
• Why is one of the Intel 8042 keyboard controller outputs inverted?
• Is every recursively axiomatizable theory interpretable in the true arithmetic (TA)?
• Is there any video of an air-to-air missile shooting down an aircraft?
• sudo / sudoers on macOS: regex not working but wildcards/globs are
• Using "no" at the end of a statement instead of "isn't it"?
• Get WEBP via FFmpeg/thumbnails utility

What is a VLAN? Ultimate Guide to How VLANs Work

Maine Basan

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More .

Key Takeaways

• • VLANs enable logical partitioning of networks, improving security and performance by isolating traffic into separate broadcast domains. (Jump to Section)
• • Advantages include enhanced network performance, reduced latency, improved security, and simplified device management, making them essential for efficient network operations. (Jump to Section)
• • Types include port-based, protocol-based, and MAC-based VLANs, each serving specific purposes like managing device functions or isolating traffic based on protocol. (Jump to Section)

A VLAN (Virtual Local Area Network) is a logical grouping of devices that are all connected to the same network regardless of physical location. VLANs are an essential component of contemporary networking, allowing network traffic to be segmented and managed.

VLANs enable logical partitioning inside a single switch, resulting in multiple virtual local area networks where physical switch segmentation is not a possibility. These partitions enable the division of a large network into smaller, more manageable broadcast domains, thereby improving network security , efficiency, and flexibility. In this comprehensive guide, we will look at how VLANs function, when to use them, the benefits and drawbacks they provide, and the types of VLANs.

• How Do VLANs Work?

When to Use a VLAN

• Advantages of VLANs
• Disadvantages of VLANs
• Common Types of VLANs

Bottom Line: VLANs

How do vlans work .

VLANs are assigned unique numbers, which enable network administrators to arrange and separate network traffic. A VLAN number is a label or tag that is applied to certain packets in order to determine their VLAN classification. The valid VLAN number range is typically 1 to 4094, providing adequate flexibility to build many VLANs within a network configuration.

VLAN numbers are assigned to switch ports to associate VLAN membership with network devices. The switch then permits data to be transmitted across ports that are part of the same VLAN. Network administrators can regulate the flow of traffic within the network by establishing VLAN membership for particular ports. By giving the right VLAN number to each port on a VLAN switch, ports may be identified as belonging to a certain VLAN. VLAN tagging, which adds a tiny header to Ethernet frames, is used by switches to identify the VLAN to which the frame belongs. This tagging guarantees that traffic is channeled correctly inside the VLAN and does not leak to other VLANs.

Since practically all networks include more than one switch, VLANs provide a means to transport traffic between them. After assigning VLAN numbers to switch ports, the switch ensures that data destined for devices in the same VLAN is transferred correctly. When two or more ports on the same switch are assigned the same VLAN number, the switch permits communication between those ports while isolating traffic from other ports. This segmentation improves network security, performance, and administration capabilities.

Because most networks are bigger than a single switch, it is necessary to facilitate communication across VLANs on various switches. A simple way to accomplish this is to configure particular ports on each switch to be part of a common VLAN and to make physical connections (usually through cables) between these designated ports. Switches enable inter-VLAN traffic to flow by connecting these ports, allowing communication between devices in different VLANs.

Also read: How to Implement Microsegmentation

VLANs provide several advantages in network management, performance enhancement, and security. They offer the flexibility and control required in enterprise network settings, whether it is the logical separation of devices based on function, the creation of isolated guest networks, the prioritization of critical traffic, or the optimization of large-scale networks. VLANs are particularly useful in situations such as:

• High-traffic environments and networks with over 200 devices: VLANs provide efficient traffic flow and easier administration by effectively controlling and arranging a large number of devices.
• Optimizing network performance in high-traffic LANs: Congestion may be decreased by splitting traffic into distinct VLANs, resulting in smoother data transfer and lower latency. This improvement enables more effective network resource utilization and increases overall network efficiency.
• Creating multiple switches from a single switch: Network managers can create independent broadcast domains by segmenting ports into various VLANs, thus splitting a single switch into many logical switches. This separation increases network performance, security, and administration.
• Adding security measures and controlling excessive broadcast traffic: Separating groups into separate VLANs increases security while reducing performance difficulties caused by excessive broadcast traffic.
• Prioritizing voice and video traffic: For real-time communication applications, this segmentation assures quality of service (QoS). VLANs reduce latency and packet loss by prioritizing this sort of traffic, improving the overall user experience and ensuring seamless communication.
• Creating isolated guest networks: VLANs prevent unauthorized access and associated security issues by isolating guest devices from the internal network. This isolation guarantees that visitors have access to the resources they require while safeguarding the internal network’s integrity and security.
• Separating logical devices: VLANs allow devices to be logically separated based on their purpose, department, or security needs. Network administrators can enhance network performance and security by grouping devices with similar tasks or security requirements into VLANs. This segmentation decreases broadcast traffic, safeguards against potential security breaches, and enables focused administration and control.
• When simplifying network management: VLANs are critical in constructing virtual networks that transcend physical servers in virtualized and cloud computing environments. This adaptability simplifies network administration, increases scalability, and allows for more effective resource consumption. VLANs in these contexts provide smooth connectivity between virtual computers and assist enterprises in managing their infrastructure more efficiently.

See how one managed service provider used VLANs to protect backups from ransomware: Building a Ransomware Resilient Architecture

8 Advantages of VLANs

VLANs enable enterprises to improve network efficiency, scalability, and security while also simplifying network administration, increasing security, and boosting overall performance. Here are some of the advantages of using VLANs.

• Logically segment networks: VLANs allow for the logical segmentation of networks and the administration of geographically scattered sites. Administrators may efficiently manage network resources, apply specific security measures, and guarantee seamless communication across locations by building distinct VLANs for various sites or departments.
• Improve network security: By logically grouping devices and separating network traffic, VLANs create an extra layer of network security. Network administrators may manage access and ensure that sensitive information remains segregated by defining different VLANs depending on departments, project teams, or roles. VLANs keep unauthorized users out of restricted regions and provide a strong security foundation for safeguarding valuable data, similar to zero trust concepts.
• Increase operational efficiency: VLANs provide operational benefits by allowing administrators to modify users’ IP subnets using software rather than physically changing network equipment. This flexibility simplifies network maintenance, minimizes downtime, and improves the network infrastructure’s overall agility.
• Enhance performance and decrease latency: VLANs improve network performance by lowering latency and increasing total data transmission rates. VLANs prioritize traffic flow inside each VLAN by segmenting networks depending on functional needs, guaranteeing effective network resource usage, quicker data transfer and a better user experience.
• Reduce costs and hardware requirements: By maximizing the existing network infrastructure, VLANs remove the need for extra physical hardware and wiring. This reduction in hardware needs saves money while also simplifying network management and maintenance.
• Simplify device management: VLANs make device administration easier and more efficient by letting administrators organize devices based on their function or purpose rather than their physical location. This logical grouping simplifies device configuration, monitoring, and troubleshooting.
• Solve broadcast problems and reduce broadcast domains: When a network is partitioned into many VLANs, broadcast traffic is confined within each VLAN, preventing it from congesting the whole network. This separation decreases broadcast storms while also increasing network efficiency and overall performance.
• Streamline network topology: Typical network structures may need complex setups that include several switches, routers, and connections. By implementing VLANs, network topology can be simplified, resulting in a reduced number of devices. VLANs organize network devices conceptually, decreasing the complexity of physical connections and increasing network scalability.

Also read: Network Protection: How to Secure a Network

7 Disadvantages of VLANs

While VLANs provide substantial benefits in network management and security, it is critical to understand their potential downsides. Understanding these drawbacks allows network managers to handle them proactively and guarantee a successful VLAN implementation that meets their unique organizational needs.

• Additional network complexity. The additional network complexity caused by VLANs is one of the key problems of adopting them. VLAN management in bigger networks may be a difficult operation that involves precise design, configuration, and constant monitoring. Misconfigurations can lead to network instability or even outages if correct knowledge and documentation are not used.
• Cybersecurity risks. If an injected packet succeeds in breaching a VLAN’s borders, it could jeopardize the network’s integrity and security. Furthermore, a threat emanating from a single machine within a VLAN has the ability to propagate viruses or malware throughout the whole logical network, demanding strong security measures. Further segmentation and zero trust controls could limit any damage.
• Interoperability concerns. Different network devices, particularly those from different suppliers, may have inconsistent compatibility with VLAN technologies, making smooth integration and consistent functioning problematic. Before establishing VLANs in such situations, it is critical to guarantee compatibility and undertake extensive testing.
• Limited VLAN traffic relay. Each VLAN runs as its own logical network, and VLANs cannot forward network traffic to other VLANs by default. While this isolation provides security benefits, it might cause problems when communicating between VLANs. To enable traffic routing between VLANs, further setup and the usage of Layer 3 devices are necessary, adding complexity to network architecture and operation.
• Possible risk of broadcast storms. Improper VLAN configuration can lead to broadcast storms, which happen when too much broadcast traffic overwhelms the network infrastructure. To avoid these disruptive incidents, VLAN design and setup must be carefully considered.
• Reliance on Layer 3 devices. When Layer 3 devices have problems or become overloaded, it can have a major impact on VLAN connectivity. Layer 3 equipment, such as routers or Layer 3 switches, are widely used in inter-VLAN connections. These devices are in charge of routing traffic between VLANs, and their availability and correct setup are critical for VLAN operation.
• Unintentional packet leakage. Packets can mistakenly leak from one VLAN to another in rare instances. This leakage might arise as a result of incorrect setups, poor access control , or insufficient network segmentation. Packet leakage jeopardizes VLAN security and isolation, exposing critical data to unauthorized users.

See the Top Microsegmentation Software

3 Common Types of VLANs

There are several types of VLANs commonly used in networking.

• Data VLAN: This type is often known as a user VLAN, and is dedicated solely to user-generated data. Data VLANs are designed to isolate and organize network traffic based on device function, department, or security requirements. The organizational structure of data virtual LANs is used to classify them. It is strongly encouraged to properly evaluate how users could be appropriately classified while taking into account all configuration choices. These clusters might be departmental or work-related. Administrators can boost network efficiency and security by grouping devices with similar tasks or security needs into Data VLANs to reduce broadcast traffic, isolate security vulnerabilities, and facilitate network monitoring and control.
• Default VLAN: Typically, default VLANs are allocated to switch ports that have not been expressly defined for any specific VLAN. They serve as a backup alternative for devices that lack VLAN designations. Administrators can guarantee that devices without explicit VLAN assignments remain operational and can interact inside the network by selecting a default VLAN.
• Native VLAN: An access port, also known as an untagged port, is a switch port that carries traffic for a single VLAN, whereas a trunk port, also known as a tagged port, carries data for several Virtual LANs. Native VLANs are linked to trunk lines, which connect switches. These VLANs are untagged on the trunk link, which means that frames sent across the link do not contain VLAN tags. When traffic arrives on a port without a VLAN tag, it is assigned to the Native VLAN; however, it is critical to set the Native VLAN consistently on both ends of the trunk connection to avoid connectivity difficulties and potential security risks.
• Management VLAN: Management VLANs are VLANs that are dedicated to network administration and management responsibilities. This particular type is recommended for the most sensitive management activities, such as monitoring, system logging, SNMP, and so on. This not only provides security benefits, but also provides capacity for these management duties even in high-traffic scenarios. Administrators may assure safe access to network devices, ease network monitoring and troubleshooting, and protect key network infrastructure from illegal access or interference by isolating management traffic onto a distinct VLAN.
• Voice VLAN: Voice VLANs are designed to prioritize and handle voice traffic in a network context, such as Voice over IP (VoIP) calls. Network administrators can assure Quality of Service (QoS) for real-time communication by allocating voice devices to a distinct VLAN, minimizing latency or packet loss issues that may affect the user experience during voice calls.

• Protocol-based VLAN: Protocol-based VLANs classify VLAN membership according to the traffic protocol in use. In a Protocol-based VLAN, the frame contains the layer-3 protocol information that specifies VLAN membership. While this method is effective in multi-protocol environments, it may not be feasible in IP-only networks. Other protocols’ traffic, such as IP, IPX, or AppleTalk, can be routed to their respective VLANs. This form of VLAN filters traffic based on protocol and offers untagged packet criteria.

• MAC-based VLAN: This type of VLAN is ideal when network administrators require granular control over device placement. A MAC-based VLAN uses the MAC address of a device to identify it as a member of that VLAN. Each VLAN on the switch has its own MAC address. This type of VLAN is typically used when device segmentation by MAC address is necessary.  Untagged inbound packets are allocated virtual LANs through the use of MAC-based VLANs, allowing traffic to be categorized depending on the source address.

See the Best Next-Generation Firewalls (NGFWs)

VLANs are a powerful network strategy that enables efficient traffic control, better security, and optimal network performance. These are critical functions in modern network environments, allowing network traffic to be segregated and controlled. By assigning VLAN numbers to switch ports, network administrators may create logical network segments and regulate data flow inside and between VLANs.

VLANs provide the flexibility and control required in contemporary network settings, whether it is the logical separation of devices based on function, the creation of isolated guest networks, the prioritization of critical traffic, or the optimization of large-scale networks. Understanding the functions and advantages of VLAN types helps administrators to create efficient network configurations tailored to their organization’s needs.

• Best Network Monitoring Tools
• Top Network Detection & Response (NDR) Solutions

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Previous article

Next article

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

IT Security Resources

Vulnerability recap 8/27/24 – wide range of vulnerabilities this week.

NordLayer Review: Pricing, Features & Specs

How Does a VPN Work? A Comprehensive Beginner’s Overview

CrowdStrike Competitors for 2024: Top Alternatives Reviewed

Top Cybersecurity Companies

Get the free newsletter.

Subscribe to Cybersecurity Insider for top news, trends & analysis

Related Articles

How to Get a VPN on Any Device (+ Installation Tips)

• Engineering Mathematics
• Discrete Mathematics
• Operating System
• Computer Networks
• Digital Logic and Design
• C Programming
• Data Structures
• Theory of Computation
• Compiler Design
• Computer Org and Architecture

Virtual LAN (VLAN)

Virtual LAN (VLAN) is a concept in which we can divide the devices logically on layer 2 (data link layer). Generally, layer 3 devices divide the broadcast domain but the broadcast domain can be divided by switches using the concept of VLAN. 

A broadcast domain is a network segment in which if a device broadcast a packet then all the devices in the same broadcast domain will receive it. The devices in the same broadcast domain will receive all the broadcast packets but it is limited to switches only as routers don’t forward out the broadcast packet. To forward out the packets to different VLAN (from one VLAN to another) or broadcast domains, inter Vlan routing is needed. Through VLAN, different small-size sub-networks are created which are comparatively easy to handle. 

VLAN ranges:

• VLAN 0, 4095: These are reserved VLAN which cannot be seen or used.
• VLAN 1: It is the default VLAN of switches. By default, all switch ports are in VLAN. This VLAN can’t be deleted or edit but can be used.
• VLAN 2-1001: This is a normal VLAN range. We can create, edit and delete these VLAN.
• VLAN 1002-1005: These are CISCO defaults for fddi and token rings. These VLAN can’t be deleted.
• Vlan 1006-4094: This is the extended range of Vlan.

Configuration –   We can simply create VLANs by simply assigning the vlan-id and Vlan name. 

Here, 2 is the Vlan I’d and accounts is the Vlan name. Now, we assign Vlan to the switch ports.e.g- 

Also, switchport range can be assigned to required vlans.  

By this, switchport fa0/0, fa0/1, fa0-2 will be assigned Vlan 2. 

Example –  

Assigning IP address 192.168.1.1/24, 192.168.1.2/24 and 192.168.2.1/24 to the PC’s. Now, we will create Vlan 2 and 3 on switch. 

We have made VLANs but the most important part is to assign switch ports to the VLANs.  

As seen, we have assigned Vlan 2 to fa0/0, fa0/2, and Vlan 3 to fa0/1. 

VLANs offer several features and benefits, including:

• Improved network security: VLANs can be used to separate network traffic and limit access to specific network resources. This improves security by preventing unauthorized access to sensitive data and network resources.
• Better network performance: By segregating network traffic into smaller logical networks, VLANs can reduce the amount of broadcast traffic and improve network performance.
• Simplified network management: VLANs allow network administrators to group devices together logically, rather than physically, which can simplify network management tasks such as configuration, troubleshooting, and maintenance.
• Flexibility: VLANs can be configured dynamically, allowing network administrators to quickly and easily adjust network configurations as needed.
• Cost savings: VLANs can help reduce hardware costs by allowing multiple virtual networks to share a single physical network infrastructure.
• Scalability: VLANs can be used to segment a network into smaller, more manageable groups as the network grows in size and complexity.

Some of the key features of VLANs include:

• VLAN tagging: VLAN tagging is a way to identify and distinguish VLAN traffic from other network traffic. This is typically done by adding a VLAN tag to the Ethernet frame header.
• VLAN membership: VLAN membership determines which devices are assigned to which VLANs. Devices can be assigned to VLANs based on port, MAC address, or other criteria.
• VLAN trunking: VLAN trunking allows multiple VLANs to be carried over a single physical link. This is typically done using a protocol such as IEEE 802.1Q.
• VLAN management: VLAN management involves configuring and managing VLANs, including assigning devices to VLANs, configuring VLAN tags, and configuring VLAN trunking.

Types of connections in VLAN –

There are three ways to connect devices on a VLAN, the type of connections are based on the connected devices i.e. whether they are VLAN-aware(A device that understands VLAN formats and VLAN membership) or VLAN-unaware(A device that doesn’t understand VLAN format and VLAN membership).

• Trunk Link – All connected devices to a trunk link must be VLAN-aware. All frames on this should have a special header attached to it called tagged frames.
• Access link – It connects VLAN-unaware devices to a VLAN-aware bridge. All frames on the access link must be untagged.
• Hybrid link – It is a combination of the Trunk link and Access link. Here both VLAN-unaware and VLAN-aware devices are attached and it can have both tagged and untagged frames. 

Advantages –  

• Performance – The network traffic is full of broadcast and multicast. VLAN reduces the need to send such traffic to unnecessary destinations. e.g.-If the traffic is intended for 2 users but as 10 devices are present in the same broadcast domain, therefore, all will receive the traffic i.e. wastage of bandwidth but if we make VLANs, then the broadcast or multicast packet will go to the intended users only.
• Formation of virtual groups – As there are different departments in every organization namely sales, finance etc., VLANs can be very useful in order to group the devices logically according to their departments.
• Security –   In the same network, sensitive data can be broadcast which can be accessed by the outsider but by creating VLAN, we can control broadcast domains, set up firewalls, restrict access. Also, VLANs can be used to inform the network manager of an intrusion. Hence, VLANs greatly enhance network security.
• Flexibility – VLAN provide flexibility to add, remove the number of host we want.
• Cost reduction – VLANs can be used to create broadcast domains which eliminate the need for expensive routers. By using Vlan, the number of small size broadcast domain can be increased which are easy to handle as compared to a bigger broadcast domain.

Disadvantages of VLAN 

• Complexity: VLANs can be complex to configure and manage, particularly in large or dynamic cloud computing environments.
• Limited scalability: VLANs are limited by the number of available VLAN IDs, which can be a constraint in larger cloud computing environments.
• Limited security : VLANs do not provide complete security and can be compromised by malicious actors who are able to gain access to the network.
• Limited interoperability : VLANs may not be fully compatible with all types of network devices and protocols, which can limit their usefulness in cloud computing environments.
• Limited mobility : VLANs may not support the movement of devices or users between different network segments, which can limit their usefulness in mobile or remote cloud computing environments. 
• Cost: Implementing and maintaining VLANs can be costly, especially if specialized hardware or software is required.
• Limited visibility: VLANs can make it more difficult to monitor and troubleshoot network issues, as traffic is isolated in different segments.

Real-Time Applications of VLAN 

Virtual LANs (VLANs) are widely used in cloud computing environments to improve network performance and security. Here are a few examples of real-time applications of VLANs:

• Voice over IP (VoIP) : VLANs can be used to isolate voice traffic from data traffic, which improves the quality of VoIP calls and reduces the risk of network congestion.
• Video Conferencing : VLANs can be used to prioritize video traffic and ensure that it receives the bandwidth and resources it needs for high-quality video conferencing.
• Remote Access : VLANs can be used to provide secure remote access to cloud-based applications and resources, by isolating remote users from the rest of the network.
• Cloud Backup and Recovery : VLANs can be used to isolate backup and recovery traffic, which reduces the risk of network congestion and improves the performance of backup and recovery operations.
• Gaming : VLANs can be used to prioritize gaming traffic, which ensures that gamers receive the bandwidth and resources they need for a smooth gaming experience.
• IoT : VLANs can be used to isolate Internet of Things (IoT) devices from the rest of the network, which improves security and reduces the risk of network congestion.

Please Login to comment...

Similar reads.

• How to Get a Free SSL Certificate
• Best SSL Certificates Provider in India
• Elon Musk's xAI releases Grok-2 AI assistant
• What is OpenAI SearchGPT? How it works and How to Get it?
• Content Improvement League 2024: From Good To A Great Article

Improve your Coding Skills with Practice

What kind of Experience do you want to share?

IP Encyclopedia

What Is Virtual Local Area Network (VLAN)

Virtual Local Area Network (VLAN) technology logically divides a physical LAN into multiple broadcast domains, each of which is called a VLAN. Each VLAN functions as a separate broadcast domain, with devices in the same VLAN able to directly communicate with one another, while those in different VLANs cannot. As a result, broadcast packets are confined within a single VLAN.

• Why Do We Need VLAN?
• VLAN vs Subnet
• VLAN Tag and VLAN ID
• Interface Types and VLAN Tag Processing
• VLAN Application Scenarios
• VLAN-related Protocols
• What Are Disadvantages of VLAN in Cloud-based Scenarios

Early Ethernet allows data communication over shared media through Carrier Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a large number of hosts, collision becomes a serious problem and can lead to broadcast storms. This degrades network performance or even causes a complete breakdown. Using Layer 2 devices to connect LANs can restrict data transmission within a LAN. However, this resolves only the conflicts.

This is where VLAN technology comes in. VLAN technology allows a physical LAN to be divided into multiple logical LANs (multiple VLANs). Each VLAN functions as a separate broadcast domain, with hosts in the same VLAN able to directly communicate with one another, while those in different VLANs cannot. As a result, broadcast packets are confined within a single VLAN. The following figure shows an example.

• Confines each broadcast domain to a single VLAN . This conserves bandwidth and improves network processing capabilities.
• Enhances LAN security. Frames in different VLANs are separately transmitted, so that hosts in a VLAN cannot directly communicate with those in another VLAN.
• Improves network robustness. A fault in one VLAN does not affect hosts in another VLAN.
• Allows for flexible virtual groups. VLAN technology allows hosts in different geographical locations to be added to different groups, simplifying network construction and maintenance.

A network can be divided into multiple subnets to conserve IP address space and support flexible IP addressing.

Similar to a VLAN, a subnet can also isolate hosts. Hosts in different subnets cannot communicate with each other. The following figure shows the comparison between VLANs and subnets.

IEEE 802.1Q adds a 4-byte VLAN tag to an Ethernet frame, enabling switches to identify the VLAN to which the received frame belongs.

The VID field in a data frame identifies the VLAN to which the frame belongs (that is, the VLAN ID). The frame can only be transmitted within this VLAN. This field ranges from 0 to 4095. The values 0 and 4095 are reserved, and therefore available VLAN IDs are in the range from 1 to 4094.

All frames processed in a switch carry VLAN tags, but some devices, such as hosts and servers, connected to a switch cannot process VLAN-tagged frames. To enable communication between the switch and these devices, the switch interfaces must be able to identify whether an Ethernet frame is tagged, and add VLAN tags to or remove VLAN tags from the frames when sending and receiving these frames. When the switch receives an untagged frame, it adds a VLAN tag to the frame according to the default VLAN, that is, Port Default VLAN ID (PVID) of the interface that received the frame.

Hosts in the same VLAN may be connected to different switches, and a VLAN can span multiple switches. To enable communication between hosts, interfaces between switches must be able to identify and send VLAN-tagged frames of multiple VLANs. Ethernet interfaces of different types can be configured to satisfy different networking requirements, depending on the objects connected to them and the way they process frames.

Different vendors may define different VLAN interface types. On Huawei devices, Ethernet interfaces are classified into access, trunk, and hybrid interfaces.

Access Interface

An access interface often connects to a terminal (such as a PC or server) that cannot or does not need to identify VLAN tags.

• Untagged frame: an original frame without a 4-byte VLAN tag
• Tagged frame: a frame with a 4-byte VLAN tag

In most cases, access interfaces accept and send only untagged frames, and tag frames that do not carry a VLAN tag with its Port Default VLAN ID (PVID). Since only tagged frames can be processed in a switch, the default VLANs for access interfaces must be set. After the default VLAN is configured for an access interface, the access interface joins this VLAN and adds the corresponding VLAN tag to received untagged frames.

An access interface accepts VLAN-tagged frames only when they are tagged with a VLAN ID that matches its PVID.

An access interface removes the VLAN tag from a tagged frame before sending the frame out.

Trunk Interface

A trunk interface often connects to a switch, router, AP, or voice terminal that can accept and send both tagged and untagged frames. It accepts VLAN-tagged frames of multiple VLANs and only sends frames in the default VLAN as untagged.

The default VLAN of a trunk interface is defined as the native VLAN by some vendors. When a trunk interface receives an untagged frame, it adds the native VLAN tag to the frame.

Hybrid Interface

A hybrid interface can connect to a user terminal (such as a host or server) or network device (such as a hub) that cannot identify VLAN tags, and also can connect to a switch, a router, an AP, or a voice terminal that can accept and send tagged and untagged frames. It accepts VLAN-tagged frames of multiple VLANs. Depending on your configuration, frames sent out from a hybrid interface may be tagged or untagged.

Hybrid and trunk interfaces can be interchanged in some scenarios, but hybrid interfaces must be used in specified scenarios, for example, selective QinQ. Before frames from multiple VLANs provided by a service provider enter a user network, the outer VLAN tags must be removed. Trunk interfaces cannot be used here because they allow only frames from their default VLANs to pass through as untagged.

Users can be isolated at Layer 2 using VLANs and can communicate with each other at Layer 3 through VLANIF interfaces.

Inter-VLAN Layer 2 Isolation

In the following figure, there are multiple companies in a building. These companies share network resources to reduce costs. Networks of the companies connect to different interfaces of the same Layer 2 switch and access the Internet through the same egress router.

To isolate the services of different companies and ensure service security, assign interfaces connected to the company networks to different VLANs. In this way, each company has a virtual router , and each VLAN works as a virtual work group.

In the following figure, a company has two departments assigned with fixed IP network segments. The employees often move between locations, but the company requires that their network resource access rights remain unchanged.

To ensure that employees retain access to network resources after changing locations, assign VLANs based on subnets on Switch_1. In this case, servers on different subnets are assigned to different VLANs to isolate data flows for accessing application services on the servers, improving security.

Inter-VLAN Layer 3 Communication

In the following figure, departments 1 and 2 of a small-scale company belong to VLAN 2 and VLAN 3, respectively, and connect to a Layer 3 switch (Switch_3) through Layer 2 switches. Packets exchanged between the two departments need to pass through the Layer 3 switch.

Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently transmit VLAN frames to Switch_3, and configure a VLANIF interface for each VLAN on Switch_3 to allow communication between VLAN 2 and VLAN 3.

IEEE 802.1Q

IEEE 802.1Q , often referred to as Dot1q , defines the VLAN implementation standard for Virtual Bridged Local Area Networks. Compared with a standard Ethernet frame, a VLAN-tagged frame has an extra 4-byte VLAN tag.

• When the link type on an Ethernet interface is negotiated as access, the interface joins VLAN 1 by default.
• When the link type on an Ethernet interface is negotiated as trunk, the interface joins VLANs 1 to 4094 by default.

The 802.1Q-in-802.1Q ( QinQ ) protocol is known as an amendment to the IEEE 802.1ad protocol. It expands VLAN space by adding an additional 802.1Q tag to 802.1Q-tagged packets, and allows packets in a private VLAN to be transparently transmitted over a public network.

A packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and a private VLAN tag.

Cloud computing, relying on its high system utilization rate, low manpower and management costs, and flexible and expandable performance advantages, has already become the current new form of enterprise IT construction. As a core technology of cloud computing, server virtualization has a wide range of applications.

VLAN is a traditional network isolation technology. In accordance with standards, a maximum of about 4096 VLANs are available, which cannot meet the tenant isolation requirements of large data centers. In addition, each VLAN is a small and fixed Layer 2 domain, and as such is not suitable for large-scale dynamic virtual machine (VM) migration.

To solve this problem, Virtual eXtensible Local Area Network ( VXLAN ) was introduced. Defined in RFC, VXLAN is a Network Virtualization over Layer 3 (NVO3) technology that uses MAC-in-User Datagram Protocol (MAC-in-UDP) encapsulation. VXLAN overcomes the preceding disadvantages of VLAN. VXLAN uses the 24-bit VXLAN Network Identifier (VNI) field to identify up to 16 million tenants, compared to a maximum of 4096 tenants in VLAN. VXLAN establishes a virtual tunnel between two switches across the basic IP network of the data center and virtualizes the data center network into a large Layer 2 virtual switch to meet the requirements of large-scale dynamic VM migration.

• Author： Zhu Yue
• Updated on： 2021-11-24
• Views： 29735
• Average rating：

• About Huawei
• About Huawei Enterprise
• Branch Office
• Huawei Events
• Huawei Facts
• Get Pricing
• eDeal Ordering System
• Find a Reseller
• Become a Partner
• Partner Training
• Partner Policy
• Partner Marketing
• Resource Center
• Video Library
• Publications
• Case Studies
• ICT Insights Podcast
• Support Community
• HUAWEI CLOUD
• FusionSolar Smart PV

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

• Terms of use
• RSS Subscribe