What is VLAN and how does it help organize a network in business

VLAN: what is it and how does it work?

Sometimes VLAN (Virtual Local Area Network) is confused with VPN (Virtual Private Network). However, they are different technologies, although both are aimed at improving network security and providing some control over traffic.

VPN is a service that connects users to a remote network over the Internet. Whereas a VLAN is a virtual local area network created within the physical infrastructure, which is independent of the physical topology and can logically connect geographically distributed devices to each other. Devices in the same VLAN can communicate with each other without the need for a router, which makes such a network very efficient and easy to manage.

A VLAN is created using managed or smart switches whose ports are assigned VLAN IDs to which it belongs. Typically, a single physical switch can have multiple VLANs configured. On a switch port, data from a device is labeled with a special identifier called a tag. The tag identifies which VLAN the data should be sent to. After the switch looks up the tag, it forwards the data to the devices in that VLAN.

Types of VLANs

Different types of VLANs can be used in computer networks depending on how they are created:

1. Port-based or interface-based VLANs. This type of network is the most common and is used in small or home office networks. Port-based VLANs assign specific VLANs to individual ports on the switch. Thus, when a device connects to a port, it becomes a member of the VLAN assigned to that port. The main purpose of this type of VLAN is to facilitate network traffic management and to allow communication between different devices within the same broadcast domain. Administrators can reassign a switch port to a different VLAN to change the VLAN of a device.
2. MAC address-based VLANs. This solution greatly increases network flexibility. If users change physical locations frequently, the system administrator does not need to reconfigure the network.
3. IP-based VLAN. This is a solution for simplified management with fewer security requirements. This type of VLAN allows a work PC to automatically join a new VLAN after an IP address change.
4. Protocol-based VLAN.
5. VLAN combo.

There are two types of switch ports in a VLAN:

• Access port or untagged port — a port that belongs to a single VLAN and carries traffic to or from the device without a VLAN tag. It supports only one VLAN. Any frame that passes from a device through an access port is labeled with the number that belongs to that VLAN.
• Trunk (tagged) or trunk port — a port that is used to carry traffic from multiple VLANs. This port does not change the tag but only carries traffic from the VLANs allowed on that port. This allows a single physical connection to carry data for different VLANs without mixing traffic between them. Typically used between switches or between a switch and a router.

Inter-VLAN Routing

What do we do when we need to get from one VLAN to another? We put in a router. A router is a device that knows how to route traffic, i.e. find the best way to deliver it to the recipient. Routing between VLANs is called Inter-VLAN Routing, but in essence, it is no different from regular routing between IP subnets. A router is added to provide connectivity between VLANs. As a rule, a backbone channel (trunk) that contains all the necessary VLANs goes to it from one of the switches, and this scheme is called “router-on-a-stick” (lollipop, Router-on-a-Stick).

When talking about inter-VLAN routing, we cannot leave out such devices as L3 switches. These devices contain some routing functions, but, unlike routers, these functions are significantly limited and implemented in hardware. This results in higher speeds, but the flexibility of the application is lost. As a rule, such switches offer only routing functions, do not support address spoofing technology, and do not have a firewall. However, they allow fast and efficient routing between internal network segments, particularly between VLANs.

There are several advantages to using virtual LANs:

1. Improved security. VLANs allow you to isolate different groups of users or devices within the same physical network. This limits access to sensitive data and reduces the likelihood of unauthorized access. For example, the finance department can be isolated from other departments in the company.
2. Reducing broadcast traffic. Broadcast traffic is data that is sent to all devices on the network, whether they need it or not. Because devices in different VLANs cannot communicate directly, the level of broadcast traffic within the network is reduced. This optimizes network bandwidth and efficiency.
3. Flexibility and scalability. VLANs enable networks to be easily configured by creating new virtual segments without the need for additional physical hardware. This allows you to quickly adapt your network to your company's needs.
4. Ease of administration. Administrators can easily change network settings by reallocating devices between VLANs without having to change the physical connection. This also helps to centrally manage different groups of devices.
5. Facilitate support and maintenance. VLANs effectively separate different types of network resources, making them easier to monitor, diagnose, and maintain. After all, problems localized to a specific VLAN are easier to solve.
6. Integration with other technologies. VLANs can be integrated with other technologies such as QoS (Quality of Service) to prioritize traffic or VPN (Virtual Private Network) to provide remote access to the network.
7. Cost reduction. Because VLANs allow you to utilize existing physical infrastructure to create logical networks, it can significantly reduce the cost of additional hardware.

When it is recommended to use VLANs

Virtual LANs will be useful in several situations. Firstly, this form of construction can be used to segment a large network with a significant number of devices into smaller parts. This will simplify management and help to quickly detect problems. VLAN subnets also improve the security of the overall system by isolating traffic.

Secondly, it is a convenient way to organize a temporary network for events or short-term projects. Finally, if devices need to be on different subnets for any reason, there is no need to remove them from the overall physical system.

Possible VLAN usage scenarios

Here are some scenarios for using VLANs:

• Segmenting by Department. You can create VLANs for HR, Marketing, IT, etc. in the same organization.
• Guest Network. A separate VLAN can be created for guests, which will allow them to connect to the Internet but will not have access to internal corporate resources. Using a VPN will further secure the connection.
• Security Isolation. If your organization has sensitive information that needs to be isolated from the rest of the network (e.g. financial or personal information), a separate VLAN is created that only a limited number of individuals or servers can access.
• Traffic Segmentation. If several types of traffic (e.g. voice, video and data traffic) are running simultaneously on the network, you can create separate VLANs for each type of traffic: VLAN 1 and VLAN 2 for regular user traffic, VLAN 3 for voice calls (VoIP), VLAN 4 for video conferencing (as shown in the figure below).

Typically, voice and video traffic is given priority in the network, so voice and video are transmitted smoothly without delay. Data traffic that is isolated to its own VLAN does not interfere with real-time traffic.

• Network Expansion. If your organization has multiple branches or divisions that require connectivity to the same corporate network, a separate VLAN is created for each branch or division, even if they are physically connected to the same switch or router. This makes it possible to maintain logical isolation between branch office networks.
• Connecting Remote Workers. If some employees in your company work remotely and require access to corporate resources, you can create a separate VLAN for them without compromising the security of the main network.
• Bandwidth Optimization. When the network is overloaded with large amounts of data (e.g., cloud services or video conferencing), a VLAN is created for high-speed traffic (e.g., video or mission-critical applications) and a VLAN for less mission-critical tasks.
• Isolate Testing Environments. For testing new software or upgrades, a separate environment is created where new solutions can be tested without jeopardizing the core network.

How to connect a VLAN

In practice, there are two common ways to connect VLANs:

1. Based on one provider's network

Let's imagine that there is a company with a central office in one of the cities of Ukraine and branches all over Ukraine. It faces the task of uniting all its representative offices — for example, shops with terminal equipment and the main office (or data center) with a server — into a single local network without complex routing. However, a single telecom operator cannot do this because it is not represented in all the cities where they are located.

In this case, the company can request one of the telecom operators to connect the company's central office (or data center) with a server to the Internet. But if this operator does not have an extensive network throughout Ukraine, for the connection of the transport network to the premises of the customer, he turns to another operator with which he has points of exchange of Internet traffic. In this role, our company is ready to act, which connects the network in the way you choose and sets up VLAN without connecting directly to the Internet service.

We can also connect VLANs by direct interconnection, which is a better and more stable option. On our side, we set up a direct connection between the subscriber's equipment (end shop) and the exchange point with the operator. The latter sets up the second phase of the network in the same way — from the traffic exchange point to the customer's end equipment, i.e. the central office (or data center). Thus, each shop is connected to the local network but does not have direct access to the Internet. Internet access is set up already on the server using routing so that data exchange takes place only between the server and the shop (e.g. with access only to accounting data, document management, internal storage, etc.).

2. Involving the network of an external provider

With this method of connection, VLANs located throughout Ukraine are connected to the Internet network of any provider, and routing is carried out in the reverse way. In this case, the Internet is needed by the company only to provide a direct connection between the router and the main server, which contains all the information and service system of the entire network. And on the local computers of network operators (for example, such are network offices of the company “New Post”) the Internet will be absent — there will be only access to the server.

Summary

So, we can conclude that VLAN is a necessary tool in the modern environment, which allows you to combine different networks into one in a simple way. And Maxnet is one of those operators, whose specialists are ready to set up VLAN for your business throughout Ukraine at your request. If you want to use this technology in practice, fill out the form on the site — and our specialist will contact you to clarify the details.