Virtual LANs or VLANs are the first feature in switching that’s meant to enhance the network. The switch works just fine without any VLANs. However, the network performance would not be as efficient as it could be.
To understand VLANs, let’s study a normal switch.
- The switch symbolizes multiple collision domains. A collision domain encompasses all the nodes which share the media. In other words, a collision domain represents the area of impact of collisions. A switch has as many collision domains as its number of ports. Typically, only one node is connected to a switch port; and consequently no collisions occur in a switched network.
- The switch is one broadcast domain, meaning all the nodes connected to the switch receive a broadcast frame except the one that sent the broadcast. If multiple switches are connected together (daisy-chained), they all belong one broadcast domain. The broadcast initiated in one switch not only gets replicated to all the ports of the switch, but also to the ports of other switches in the daisy chain. As more devices are connected to the switches, the network performance drastically reduces because of the broadcasts.
- The switch is one IP network (subnet). In networking, there’s always a logical counter part for every physical implementation. Every functionality has its logical as well as physical aspect. It’s true in switches as well. A switch represents the physical network segment. A switch is also indicative of one IP network, meaning all the nodes connected to a switch are assigned with same subnet mask and consistent IP addresses.
- The switch is one failure domain. If the switch were to misbehave or crash, all the computers get affected.
- The switch has limited security. If there’s one malicious computer connected to the switch, it can affect its neighbors within the network. The nodes are connected to the same switch mean there’s a mutual trust.
Say Hello to VLANs !
VLANs are virtual separations within a switch that provide distinct logical LANs that each behave as it they were configured on a separate physical switch.
VLAN logically groups the users
VLANs are identified by numbers which can be in the range 1 – 4096, meaning we can create up to 4096 VLANs on a single physical switch. VLANs are also associated with names such as Finance, HR, Purchase etc. should we create VLANs to separate the departments within an organization.
To keep things simple, let’s associate colors to VLANs. Consider a switch that has 2 VLANs: VLAN-Pink and VLAN-Green. Each VLAN has a bunch of ports as its members. The PCs connected to the Pink VLAN can talk only with other PCs of Pink VLAN and can’t talk with nodes of the Green VLAN; and vice versa.
VLANs thus make possible to realize multiple network on the same switch.
VLANs segment broadcast domains
VLANs overcome the limitation of a single broadcast domain of the switch. VLANs are separate broadcast domains. As a consequence, the broadcast traffic gets contained within the VLAN and reduces its impact on rest of the network.
If we daisy chain switches, the broadcast of one VLAN travels only to the ports of the corresponding VLAN, irrespective of the switch in the daisy chain. For example, if we daisy chain three switches, the broadcast from the Pink VLAN is replicated on all the ports that are members of the Pink VLAN in all the three switches. The Green VLAN won’t receive any broadcasts of the Pink VLAN.
VLANs give subnet correlation
Each VLAN is an IP network by itself. Thus multiple VLANs on the switch correspond to multiple networks on the switch, each having its own network address and subnet mask.
VLANs provide access control
A VLAN isolate itself from other VLANs and don’t allow any traffic to let in other than its own. However, we can define rules to allow the traffic from one VLAN into another. For example, we can configure the switch to allow the traffic from Pink VLAN into Green VLAN, if the source is so and so.
VLANs provide Quality of Service
It’s very easy to prioritize the traffic based on VLANs to implement the quality of service.
I guess you noticed the special ports in each of the switches that connect to another switch. These are trunks which carry the traffic of all the VLANs.
Trunk ports are called tagged ports, because they carry the information to which VLAN the frame belongs inside a tag that’s inserted into the frame. The PC is unaware that it belongs to a VLAN. The frame when leaves the switch, it always go untagged. They are two trunking protocols:
- ISL (Inter-Switch Link) : Cisco’s proprietary tagging standard
- IEEE 802.1Q : IEEE standard which is supported by all the vendors
With VLANs, it’s possible to create a unified network across the organization separating various departments from each other.
Another popular use case of VLANs is to group “like type” devices such as servers, PCs, IP phones, printers etc.
There are some more interesting use cases in the virtualization world. We’ll save them to some other time.