By Elaine J. Hom, Associate Editor and Rivka Little, Site Editor
For years, virtual LANs have played an important role in basic enterprise networking, enabling engineers to segment portions of their networks for security, management and scalability. The emergence of virtualization and cloud computing networks only makes understanding VLAN implementation more important. VLANs are key to providing management in a world of virtualization, even where virtual machines are constantly migrating, challenging the very basics of network management. In this guide, learn about old and new uses of VLANs in everything from wireless LANs to data center networks.
What is a VLAN?
Before implementing or managing a VLAN, one must understand what a VLAN is. A VLAN, or virtual (logical) LAN, is a local area network with definitions that map workstations based on anything except geographic location. For example, a VLAN might have a definition that maps workstations by department, type of user, and so on. The benefits of VLANs include easier management of workstations, load balancing, bandwidth allocation and tighter security.
VLANs become even more efficient when coupled with server virtualization. In a virtualized data center environment, the VLAN strings the physical servers together and creates a route. By allowing virtual machines to move across physical servers in the same VLAN, administrators can keep tabs on the virtual machines and manage them more efficiently.
- VLANs versus IP subnets: Why use a VLAN over IP subnetting? A virtual local area network (VLAN) is more secure than IP subnetting. This expert answer examines both VLANs and IP subnets and the key differences between them.
- For more VLAN basics, check out this tutorial.
There are three ways of configuring a VLAN: static, dynamic and port-centric. The configuration will be based on the needs of the VLAN. For example, for more security, administrators opt for a static VLAN, which assigns the VLAN membership to a switch's port; whereas a dynamic VLAN assigns the VLAN membership to the MAC address of the host or device.
Switches that support VLANs establish the VLAN by either frame-tagging or filtering, both of which look at the frame and decide where it should be sent. Frame tagging "tags" a frame to keep track of it as it travels through the switch's fabric. Frame filtering examines specific information from each frame through a filtering table that is developed for the switch, allowing for examination of many different frame attributes. But frame filtering is less scalable than frame tagging because each frame needs to be referenced to a filter table. Frame tagging is considered the most efficient way to go, according to IEEE 802.1q.
VLAN configuration resources
- Get more information on configuring VLANs in this step-by-step screencast from David Davis. You'll learn how to configure your routers and switches, set up and assign the trunk ports, and perform the necessary tests to get traffic moving across your VLAN successfully.
- Chapter 3 of CCNA Self-Study by Steve McQuerry explores how VLANs control broadcasts in your network to provide more efficiency and extending switched networks with VLANs.
VLANs and server virtualization go hand in hand. Server virtualization allows organizations to reduce the number of physical servers in the data center and provide scalable flexibility to other business needs, such as business applications. VLANs are integral to a virtualized environment thanks to the mobile nature of virtual machines.
The associated layer 2 services must be supported by the network mechanisms, and the best way to do this is to limit virtual machine mobility to physical servers in the same VLAN. By placing many servers in a single VLAN and limiting the virtual machines to that VLAN, there is easy migration of virtual machines between the physical servers. Not only do VLANs enable free movement of the virtual machines, they also allow network administrators to track them, keeping them secure and easily manageable.
One of the major challenges in server virtualization is in data center network configuration, and this includes VLANs. Many server virtualization products include extensive support for 802.1q VLAN tags. Data center network admins must configure VLANs on the switches to interact with the physical servers running the server virtualization software. Improperly configured VLAN settings can cause connectivity disruption for any workload running on that physical server.
VLANs and server virtualization resources
- This tip examines how VLAN configuration and increased VLAN usage can make server virtualization more manageable and address network configuration woes.
- In a virtualized environment, network configuration is one of the most critical aspects. In this tip, learn how to configure a virtual network for a Hyper-V environment using VLAN trunks.
- There are ways to create a network design diagram for VLAN configuration in Hyper-V, even though it lacks a network visualization tool. Find out how to do so in this tip from SearchServerVirtualization.com.
VLAN trunking can be applied to wireless networking to help prioritize traffic. VLAN access points (APs) can be set up to work as multiple virtual WLAN infrastructures, using VLANs for varying levels of security -- some for low-security guest Internet access, others for minimal-security enterprise users, a high-security VLAN for administrators, and so on. Using VLAN 802.1q tags, a network administrator can map wireless traffic to multiple VLANs and assign priority.
How exactly does this work? Wireless AP traffic is concentrated through an 802.1q-capable wireless switch or gateway; the device tags the packets before forwarding them. Through appropriate tagging, the packets move onto roles defined by the tags, whether the role be guest or employee.
With administrative traffic kept isolated from end-user traffic, network administrators can breathe a little easier, knowing that wireless data is being routed properly thanks to VLAN tagging.
VLAN and WLAN resources
- Learn different methods of creating VLANs on a WLAN in this expert response from Lisa Phifer.
- This tip describes how to use these same VLAN capabilities, found in both wired and wireless devices, to tag and compartmentalize Wi-Fi traffic, supporting your company's security and traffic management policies.
- 802.1X/EAP makes it possible to authenticate individual wireless users. But 802.1X can also be used to funnel wireless traffic onto VLANs, enforcing user or group-based permissions. This tip explains how to use RADIUS attributes returned by 802.1X to supply VLAN tags, establishing that critical link between authentication and authorization.
- Many business networks rely on VLANs to partition Ethernets and control the destinations reached by each accessing user. Enterprise users shift between Ethernet and Wi-Fi throughout the workday, so it makes sense to apply VLANs to both wired and wireless network access. This tip describes best practices for mapping Wi-Fi stations onto corporate VLANs.
- Get tips and advice on implementing a split VLAN wireless structure with an authenticated access and Internet only access.
Even after VLANs have been implemented properly and efficiently, it is inevitable that network administrators and managers will run into problems. Troubleshooting VLANs is not quite as simple as troubleshooting a traditional network. It's relatively easy to tell if a network device isn't performing. But in a switched network with virtual trunks and paths, it's not always easy to tell what's making a network run slowly. Plugging in that protocol analyzer isn't going to cut it for troubleshooting VLANs, and the resources below will help you monitor the problems.
VLAN troubleshooting resources
- When troubleshooting a virtual LAN (VLAN), learn how to monitor 802.1q tagged traffic within a network in this advice from our routing and switching expert.
- VLANs are popular targets for attacks. Learn how to secure a VLAN from popular attacks such as the VLAN Hopping attack and Address Resolution Protocol attack.
This was first published in March 2010