How To Set Up a Virtual LAN (VLAN)

VLANs are everywhere. You can find them in most organization with a properly configured network. In case it wasn’t obvious, VLAN stands for, “Virtual Local Area Network,” and they’re ubiquitous in any modern network beyond the size of a tiny home or very small office network.

There are a few different protocols, many of which are vendor-specific, but at its core, every VLAN does much the same thing and the benefits of VLAN scale as your network grows in size and organizational complexity.

Those advantages are a big part of why VLANs are so heavily relied on by professional networks of all sizes. In fact, it would be difficult to manage or scale networks without them.

The benefits and scalability of VLANs explain why they’ve become so ubiquitous in modern network environments. It would be difficult to manage or scale even moderately complex networks with the user of VLANs.

What Is A VLAN?

Okay, so you know the acronym, but what exactly is a VLAN? The basic concept should be familiar to anyone who has worked with or used virtual servers.

Think for a second how virtual machines work. Multiple virtual servers reside within one physical piece of hardware that’s running an operating system and hypervisor to create and run the virtual servers on the single physical server. Through virtualization, you are able to effectively turn a single physical computer into multiple virtual computers each available for separate tasks and users.

Virtual LANs work in much the same way as virtual servers. One or more managed switches run the software (similar to hypervisor software) that allows the switches to create multiple virtual switches within one physical network.

Each virtual switch is its own self-contained network. The main difference between virtual servers and virtual LANs is that virtual LANs can be distributed across multiple physical pieces of hardware with a designated cable called a trunk.

How It Works

Imagine that you’re running a network for a growing small business, adding employees, dividing into separate departments, and becoming more complex and organized.

To respond to these changes, you upgraded to a 24-port switch to accommodate new devices on the network.

You might consider just running an ethernet cable to each of the new devices and calling the task done, but the problem is that the file storage and services being used by each department must be kept separate. VLANs are the best way to do that.

Within the web interface of the switch, you can configure three separate VLANs, one for each department. The simplest way to divide them is by port numbers. You could assign Ports 1-8 to the first department,  assign ports 9-16 to the second department, and finally assign ports 17-24  g to the last department. Now you have organized your physical network into three virtual networks.

The software on the switch can manage the traffic between the clients in each VLAN. Every VLAN acts as its own network and can’t interact directly with the other VLANs. Now, each department has its own smaller, less cluttered, and more efficient network, and you can manage them all through the same piece of hardware. This is a very efficient and cost-effective way to manage a network.

When you need the departments to be able to interact, you can make them do so through the router on the network. The router can regulate and control traffic between the VLANs and enforce stronger security rules.

In many cases, the departments will need to work together and interact. You can implement communication between the virtual networks through the router, setting security rules to ensure appropriate security and privacy of the individual virtual networks.

VLAN vs. Subnet

VLANs and subnets are actually quite similar and serve similar functions. Both subnets and VLANs divide up networks and broadcast domains. In both cases, interactions between subdivisions can only occur through a router.

The differences between them come in the form of their implementation and how they alter network structure.

IP Address Subnet

Subnets exist at Layer 3 of the OSI Model, the network layer. Subnets are a network level construct and are handled with routers, organizing around IP addresses.

Routers carve out ranges of IP addresses and negotiate the connections between them. This places all of the stress of network management on the router. Subnets can also become complicated as your network scales up in size and complexity.

VLAN

VLANs find their home on Layer 2 of the OSI Model. The data link level is closer to the hardware and less abstract. Virtual LANs emulate hardware acting as ndividual switches.

However, virtual LANs are able to break up broadcast domains without needing to connect back to a router, taking some of the management burdens off of the router.

Because VLANs are their own virtual networks, they have to behave somewhat like they have a built-in router. As a result, VLANs contain at least one subnet, and can support multiple subnets.

VLANs distribute network load, and. multiple switches can handle traffic within VLANs without involving the router, making for a more efficient system.

Advantages Of VLANs

By now, you’ve already seen a couple of the advantages that VLANs bring to the table. Just by the virtue of what they do, VLANs have a number of valuable attributes.

VLANs help with security. Compartmentalizing traffic limits any opportunity for unauthorized access to parts of a network. It also helps to stop the spread of malicious software, should any find its way onto the network. Potential intruders can’t use tools like Wireshark to sniff out packets on anywhere beyond the virtual LAN they’re on, limiting that threat as well.

Network efficiency is a big deal. It can save or cost a business thousands of dollars to implement VLANs. Breaking up broadcast domains greatly increases network efficiency by limiting the number of devices involved in communication at one time. VLAN decreases the need to deploy routers to manage networks.

Often, network engineers choose to construct virtual LANs on a per-service basis, separating out important or network intensive traffic like a Storage Area Network (SAN) or Voice over IP (VOIP). Some switches also allow an administrator to prioritize VLANs, giving more resources to more demanding and missing-critical traffic.

It would be terrible to need to build an independent physical network to separate out traffic. Imagine the convoluted tangle of cabling that you’d have to battle to make changes. That’s to say nothing for the increased hardware cost and power draw. It would also be wildly inflexible. VLANs solve all of these problems by virtualizing multiple switches on a single piece of hardware.

VLANs provide a high degree of flexibility to network admins through a convenient software interface. Say two departments switch offices. Does the IT staff have to move around hardware to accommodate the change? No. They can just reassign ports on the switches to the correct VLANs. Some VLAN configurations wouldn’t even require that. They’d dynamically adapt. These VLANs don’t require assigned ports.  Instead, they’re based on MAC or IP addresses. Either way, there’s no shuffling of switches or cables required. It’s much more efficient and cost-effective to implement a software solution to make change the location of a network than to move the physical hardware.

Static vs. Dynamic VLANs

There are two basic types of VLANs, categorized by the way machines are connected to them. Each type has strengths and weaknesses that should be taken into account based on the particular network situation.

Static VLAN

Static VLANs are often referred to as port-based VLANs because devices join by connecting to an assigned port. This guide has only used static VLANs as examples so far.

In setting up a network with static VLANs, an engineer would divide up a switch by its ports and assign each port to a VLAN. Any device that connects to that physical port will join that VLAN.

Static VLANs provide very simple and easy to configure networks without too much reliance on software. However, it’s difficult to restrict access within a physical location because an individual can simply plug in. Static VLANs also require a network admin to change port assignments in case someone on the network changes physical locations.

Dynamic VLAN

Dynamic VLANs rely heavily on software and allow a high degree of flexibility. An administrator can assign MAC and IP addresses to specific VLANs, allowing unencumbered movement in the physical space. Machines in a dynamic virtual LAN can move anywhere within the network and remain on the same VLAN.

Though Dynamic VLANs are unbeatable in terms of adaptability, they have some serious drawbacks. A high-end switch has to take on the role of a server known as a VLAN Management Policy Server (VMPS( to store and deliver address information to the other switches on the network. A VMPS, like any server, requires regular management and maintenance and is subject to possible downtime.

Attackers can spoof MAC addresses and gain access to dynamic VLANs, adding another potential security challenge.

Setting Up A VLAN

What You Need

There are a couple of basic items that you need to set up a VLAN or multiple VLANs. As stated before, there are a number of different standards, but the most universal one is the IEEE 802.1Q. That’s the one that this example will follow.

Router

Technically, you don’t need a router to set up a VLAN, but if you want multiple VLANs to interact, you’re going to need a router.

Many modern routers support VLAN functionality in some form or another. Home routers might not support VLAN or only support it in a limited capacity. Custom firmware like DD-WRT does support it more thoroughly.

Speaking of custom, you don’t need an off-the-shelf router to work with your virtual LANs.  Custom router firmware is usually based on a Unix-like OS such as Linux or FreeBSD, so you can build your own router using either one of those open source operating systems.

All of the routing functionality that you need is available for Linux, and you can custom configure a Linux install to tailor make your router to serve your specific needs.  For something that’s more feature-complete, look into pfSense. pfSense is an excellent distribution of FreeBSD built to be a robust open source routing solution.  It supports VLANs and includes a firewall to better secure the traffic between your virtual networks.

Whichever route you choose, make sure that it supports the VLAN features that you need.

Managed Switch

Switches are at the heart of VLAN networking. They’re where the magic happens. However, you need a managed switch in order to take advantage of VLAN functionality.

To take things a level higher, literally, there are Layer 3 managed switches available.  These switches are able to handle some Layer 3 networking traffic and can take the place of a router in some situations.

It’s important to keep in mind that these switches aren’t routers, and their functionality is limited. Layer 3 switches do decrease the likelihood of network latency which can be critical in some environments where it’s critical to have a very low latency network.

Client Network Interface Cards (NICs)

The NICs that you use on your client machines should support 802.1Q. Chances are, they do, but it’s something to look into before moving forward.

Basic Configuration

Here’s the hard part. There are thousands of different possibilities for how you can configure your network. No single guide can cover all of them. At their heart, the ideas behind nearly any configuration are the same, and so is the general process.

Setting Up The Router

You can get started in a couple of different ways. You can either connect the router to each switch or each VLAN. If you opt for just each switch, you will need to configure the router to differentiate the traffic.

You can then configure your router to handle passing traffic between VLANs.

Configuring The Switches

Assuming that these are static VLANs, you can enter your switch’s VLAN management utility through its web interface and begin assigning ports to different VLANs. Many switches use a table layout that allows you to check off options for the ports.

If you’re using multiple switches, assign one of the ports to all of your VLANs and set it as a trunk port. Do this on each switch. Then, use those ports to connect between the switches and spread your VLANs across multiple devices.

Connecting Clients

Finally, getting clients on the network is pretty self-explanatory. Connect your client machines to the ports corresponding to the VLANs that you want them on.

VLAN At Home

Even though it might not be seen as a logical combination, VLANs actually have a great application in the home networking space, guest networks. If you don’t feel like setting up a WPA2 Enterprise network in your home and individually creating login credentials for your friends and family, you can use VLANs to restrict the access your guests have to the files and services on your home network.

Many higher-end home routers and custom router firmware support creating basic VLANs. You can set up a guest VLAN with its own login information to let your friends connect their mobile devices. If your router supports it, a guest VLAN is a great added security layer to prevent your friend’s virus-riddled laptop from screwing up your clean network.