Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

VLAN Implementation Guide: The Basics

  • In order to understand the purpose of VLANs, it's best to look at how Ethernet networks previously functioned. Prior to VLANs and VLAN-aware switches, Ethernet networks were connected using Ethernet hubs. A hub was nothing more than a multi-port repeater. When an end device sent information onto the Ethernet network toward a destination device, the hub retransmitted that information out all other ports as a network-wide broadcast.

    The destination device would receive the information sent, but so would all other devices on the network. Those devices would simply ignore what the heard. And while this method worked in small environments, the architecture suffered greatly from scalability issues. Too much time was spent discarding received messages and waiting for a turn to transmit their own messages that Ethernet networks using hubs became congested.

    A layer 2 aware switch solves this problem using two different methods. First, the switch has the ability to learn and keep track of devices by their MAC address. By maintaining a dynamic table of MAC address to switch port number, the switch has the ability to send messages directly from a source device to the destination device in a unicast transmission as opposed to a broadcast transmission that is sent to all devices. This is known as the switch forwarding table.

    While the forwarding table does a great deal to limit broadcast messages, and thus reduce the amount of broadcast overhead, it does not completely eliminate it. Broadcast messages are still required in many situations. And as such, the more devices on a physical network, the more broadcast messages are going to be clogging up the network.

    That leads us to our second method that layer 2 switches use to streamline Ethernet communication. Instead of having one large layer 2 network, VLANs are used to segment a switch -- or network of switches -- into multiple, logical layer 2 networks. Broadcast messages sent and received are contained within each smaller VLAN. Thus, if you have a network of 1,000 end devices and create 4 VLANs of 250 devices each, each logical network must only have to deal with 250 devices of broadcast overhead, as opposed to all 1,000 if they were on the same layer 2 network.

  • VLAN trunks

    Now that you have an understanding of the purpose of VLANs, the next skill to acquire is the understanding of VLAN trunks. Large networks often contain more than one switch. And if you want to span virtual LANs across two or more switches, a VLAN trunk can be used. VLAN information is local to each switch database, so the only way to pass VLAN information between switches is to use a trunk.

    A VLAN trunk can be configured to pass VLAN data for one or all VLANs configured on a switch. The trunk keeps track of which VLAN that the data belongs to by adding a VLAN tag to each Ethernet frame that is passed between switches. Once the receiving switch receives the frame, it strips the VLAN tag off and places the frame onto the proper local VLAN.

  • Inter-VLAN routing

    The last basic skill regarding VLANs on enterprise networks is the concept of inter-VLAN routing. While devices on the same VLAN can communicate with other devices in the same VLAN, the same cannot be done when the devices belong to different VLANs. This is where inter-VLAN routing is necessary.

    As we have learned, a VLAN breaks up a physical layer 2 network into multiple, logical layer 2 networks. In order to move between these layer 2 networks, this traffic needs to be routed at layer 3. So while switches can send data from source devices to destination devices using layer 2 MAC addresses, inter-VLAN routing using IP addressing. This can be either IP version 4 or IPv6, although most enterprise networks still use IPv4 on internal networks.

    On enterprise networks that are well planned, each VLAN configured is its own unique IPv4 subnet. For example, devices on VLAN 10 will be configured to use IPv4 addresses in the 10.10.10.X IP space while devices on VLAN 99 will be configured to use IPv4 addresses in the 10.10.99.x space. In addition to each device having its own IP address and subnet mask, a default gateway IP addresses is required. Every device in VLAN 10 will be configured to use the same default gateway IP address such as 10.10.10.1 and every device configured for VLAN 99 will use the gateway of 10.10.99.1. The default gateway IP address is a router interface (either physical or virtual) that is responsible for routing traffic to other IP networks.

    So if a device in VLAN 10 needs to communicate with a device in VLAN 99, the VLAN 10 device will forward the data to its default gateway. Layer 3 routing will occur and forward the data to the default gateway of VLAN 99. Once on the correct destination VLAN, the data is then forwarded at layer 2 to the destination endpoint.

  • Planning a VLAN strategy

    Depending on the size of the network, planning a VLAN strategy can be either fairly easy, or somewhat complex. Remember, because each VLAN is also its own sub-network, we have to come up with a VLAN strategy where it makes the most sense in terms of grouping devices. In todays modern networks with virtualized layer 2 and layer 3 networks, the number of VLANs and layer 3 interfaces that can be configured on enterprise hardware is in the multiple thousands. Additionally, since inter-VLAN routing can now be performed at wire speed, there is no noticeable difference between sending/receiving traffic from devices on the same VLAN vs. different VLANs.

    That being said, due to broadcast overhead, its typically advisable that a single VLAN not have any more than 500 or so devices. Any more than this and you begin to start having network congestion problems due to a significant increase in broadcast traffic on the layer 2 segment. Most network designs call for subnet sizes that have no more than 250 devices.

    In terms of how to segment devices onto different VLANs, security is the primary factor today. From a security standpoint, its best to place similar devices onto the same subnets. For example, put all employee computers on VLAN 10, printers on VLAN 20, servers on VLAN 50 and IP phones on VLAN 100. By doing this, you can easily apply layer 3 filters or firewall rules that target specific devices in how traffic in and out of that VLAN is treated.

  • Configuring a VLAN and adding a switch port

    Lets now move onto how to configure VLAN basics using a Cisco switch. In this example, we will configure VLAN 80 as our server VLAN. We will then configure switch port 10 to use this new VLAN. Keep in mind that out of the box, only VLAN 1 is configured on the switch and all switch ports are configured to use this VLAN.

  • Configuring a VLAN trunk

    In this next example, lets assume that we have two switches that are connected by a single Ethernet interface: port 20 on both switches. Each switch has been configured with VLAN 1, 2 and 3. The goal is to trunk only these three VLANs of the two switches together. To accomplish this, configure the following on both switches (see above).

  • Configuring a SVI for inter-VLAN routing

    A switched virtual interface (SVI) is the name of a virtual router interface on a layer 3 switch. The virtual interface is the VLAN's default gateway used for routing traffic between networks. In this example, we will configure a SVI for VLAN 10 and VLAN 20. VLAN 10 will use the IPv4 subnetwork of 10.10.10.X/24 with a default gateway of 10.10.10.1. VLAN 20 will use a subnetwork of 10.10.20.X/24 with a default gateway of 10.10.20.1. Once complete, the switch will then be able to route traffic between the two VLANs via layer 3 routing.

  • Advanced VLAN topics to research

    If youre looking to learn some more advanced skills related to VLANs, I recommend researching the following topics:

     

     

     

     

     

     

     

     

    • Spanning Tree Protocol (STP)
    • VLAN Trunking Protocol (VTP)
    • Private VLANs
    • Dynamic VLANs
    • VLAN security weaknesses

     

If you're just getting started in the world of network administration and architecture, there's no better place to begin than with a solid understanding of virtual LANs (VLANs).