Networking | Programming | Security | Linux | Computer Science | About

Virtual LANs (VLANs)

As you may or may not be aware, switches operate at layer 2 of the OSI model. Switches primarily use MAC addresses to manage and communicate with hosts that are attached to them. Switches help eliminate collisions by providing a single collision domain between the host and the switch. At the layer above, the network layer (layer 3) routers manage logical networks that use IP, and they also reduce broadcast domains. However, routers can be very expensive and are not always required for a smaller- to medium-size network. Over the past several years, newer switches that operate at both layers 2 and 3 of the OSI model have been developed that have characteristics of both switches and routers. One technology that these layer 3 switches, as they’re called, implements are virtual LANs (VLANs).

VLANs are implemented by switches by creating artificial or virtual local area networks that are created in the configuration of the switch itself. Obviously because these Virtual LANs operate at layer 3, switches also have to use IP addresses in addition to MAC addresses. With a typical layer 2 switch, all hosts plugged into the switch are usually on the same LAN. With a layer 3 switch, however, it’s possible to separate hosts into different logical or virtual local area networks. Two hosts can be plugged into two switch ports that are side-by-side, yet be on a totally different logical subnetwork. The switch is configured with different virtual LANs and the respective network IDs, and then hosts are assigned, based upon the switch port, to a particular VLAN.

There are several advantages to this setup. First, layer 3 switches are a lot less expensive than most routers. Second, some of the same fundamental functions that a router performs, such as reducing broadcast domains and routing to another network (within the same larger enterprise-level network), can be performed by these layer 3 switches. Those two advantages aside, there are also some good security reasons for implementing VLANs. Segmenting different hosts into different logical LANs can add to the security posture of the network because this allows administrators to separate sensitive traffic from different hosts. The administrator can also isolate certain hosts that have specialized security needs. From a network management and performance perspective, segmenting these hosts could help to conserve bandwidth by eliminating broadcast domains (something that normal layer 2 switches don’t do), and would allow the administrator to change IP addressing schemes and configurations fairly easily as the network changes. That may be difficult to do when using hardware routers because you may have to physically add or change network interfaces on the router and change the actual router configuration whenever the IP addressing scheme on the network must change.

One other feature that makes VLANs so attractive in the network is the use of dynamic VLANs. Dynamic VLANs allow a switch port to be configured so that different hosts may be in different VLANs, based upon MAC address, username, and so on. So, if one computer plugs into the port, it may be in VLAN 1. If a different host, say a laptop, plugs into that same switch port, it is considered a member of VLAN 2 based upon its MAC address. Of course, this gives the administrator a great deal of flexibility over managing hosts on the switch, but it requires advanced configuration and planning.

So, there are several advantages to using layer 3 switches and VLANs. Keep in mind that there are still times when a router is required: usually to route traffic outside of the corporate network to the Internet, or to route internal network traffic that doesn’t use VLANs.

Published on Tue 27 March 2012 by Adi Wagstaff in Networking with tag(s): vlans