Fundamentals of VLAN technology
In the last Dr. Lan newsletter, I gave you an initial introduction to the topic of VLANs. As a reminder, VLAN stands for Virtual Local Area Network. This means that a physical LAN can be divided into several logical (virtual) subnets that are separate from each other.
Although connected to the same switch, each virtual network forms its own broadcast domain. Participants from different VLANs can communicate with each other across this broadcast domain.
Within the VLAN, a broadcast domain is no longer limited to a single switch. Network participants can be assigned to a virtual network regardless of their location without having to change the physical connections.
This requires VLAN-enabled switches, known as managed switches. While unmanaged switches in plug-and-play mode are mostly used in the private user sector, managed switches can be configured in a variety of ways for professional use.
Port-based VLAN
There are basically two types of VLANs: tag-based and port-based. In a port-based VLAN, the switch is logically segmented. Individual ports are permanently assigned to a VLAN. These ports, which only transmit data from their assigned VLAN, are called access ports. Port-based VLAN configurations are mainly used in smaller networks, but can also be created across multiple switches. Due to the fixed assignment, port-based VLANs are also referred to as static VLANs.
However, if multiple VLANs are to be configured on a switch, port-based VLANs quickly reach their limits. This is because a separate port and Ethernet cable are required for each VLAN to connect the switches to each other. It is virtually impossible to create larger virtual networks in this way. Tag-based VLANs are therefore the better alternative.
Tag-based VLAN
In a tag-based VLAN, there is no fixed assignment between the virtual network and the physical port. This means that several VLANs can be used simultaneously on a single switch port. In these tagged VLANs, the Ethernet frames are marked with an additional tag that specifies which VLAN they belong to. This is an extension of the Ethernet frame in which the ID of the VLAN can be stored. This extension identifies which broadcast domain the respective Ethernet frame belongs to. The tagging procedure is defined in the IEEE 802.1Q standard. This frame-based type of VLAN is also known as a dynamic VLAN. It automatically assigns network participants to the correct VLAN, regardless of how they are connected to the network: wired or wireless via an access point.
Trunk-Ports
Switches require trunk ports in order to mark frames with identifying tags during transmission. A trunk port can be configured to transmit multiple VLANs. VLAN trunking allows you to transmit information from multiple virtual LANs over a single line, for example to a core switch, without having to provide a separate port and connection for each VLAN.
An Ethernet interface can normally function either as a trunk port or as an access port. The exception to this are hybrid ports, which can process both types of packets (tagged and untagged) as trunk ports and as access ports.
Trunking
Trunking refers to the aggregation of multiple network links. To avoid confusion, it’s important to use the terms “trunk port” and “trunking” correctly. In network cabling, trunking also means combining several physical links into a single logical connection. This is done to increase data throughput, using the Link Aggregation Control Protocol (LACP, 802.3ad).
Reasons for VLANs
- Security: Separation of public and confidential areas
- Performance: Reduced network load and optimized traffic
- Organization: Avoiding unnecessary cabling
- Cost: Saving on additional infrastructure components such as switches and cables
- Flexibility: Access the same VLAN from different workstations
Conclusion
Nowadays, hardly any large or medium-sized networks in companies, institutions, or government agencies can do without VLANs, whether for reasons of security, flexibility, performance, or cost. In terms of security, you need to bear in mind that a tag-based VLAN is easier to attack than a port-based one. If you would like to learn more about VLANs and even acquire the tools to create your own VLANs, we recommend the Switch Management workshop, which we offer in collaboration with Avanis Academy.