Virtual Local Area Network

from Wikipedia, the free encyclopedia

A Virtual Local Area Network ( VLAN ) is a logical subnet within a switch or an entire physical network . It can stretch across multiple switches. A VLAN divides physical networks into subnetworks by ensuring that VLAN-capable switches do not forward frames ( data packets ) to another VLAN (although the subnetworks can be connected to shared switches).

Reasons and advantages as well as disadvantages

Today, local networks are usually set up with the help of active components that work on OSI level 2 . As a rule, these components are switches . Thanks to the switch implementations that are common today, which usually operate the connections in full duplex mode and work without collision, very large, yet high-performance LANs with a few hundred or thousand stations can also be set up.

A subdivision of such networks can be desirable for several reasons:

  • Flexibility in the assignment of end devices to network segments, regardless of the location of the base station.
  • Performance aspects: For example, certain data traffic such as VoIP can take place in a VLAN that is prioritized during transmission. Often, however, you just want to downsize broadcast domains so that broadcasts don't spread across the entire network.
  • Security aspects: VLANs can protect networks against spying and eavesdropping better than switched networks. Switched networks used to have a security advantage; de facto, this is no longer the case today, as a large number of attack options exist for them, such as MAC flooding or MAC spoofing . VLANs, on the other hand, are more robust because routers are used to connect the VLANs , which are inherently insensitive to Layer 2 attacks . In addition, routing offers the possibility of using firewalls on a layer 3 basis , which opens up a larger selection of firewall systems (because layer 2-based firewalls are comparatively rare). However, you should be particularly careful with dynamic VLANs or with systems that work in automatic learning mode (see switch types ). These can also be compromised in the same way as switches and can thus render the intended security gain of VLAN implementations ineffective.

The latter two aspects could also be achieved through appropriate cabling and the use of several switches and routers. By using VLANs, however, this can be achieved independently of the physical cabling that is usually available and can only be expanded with great effort, which, in addition to increased flexibility, can also make economic sense: VLAN-capable devices are certainly more expensive, but may replace several individual devices .

Assignment of data traffic to VLANs

The subnetworks can be assigned to a VLAN statically via port assignment on the switches, via special markings on the packets (tags), or dynamically (for example via MAC addresses , IP addresses up to TCP and UDP ports and higher protocols). An assignment of a port to a VLAN after authentication of the user, e.g. B. possible using 802.1X .

Each VLAN forms (like a normal, physically separated network segment) its own broadcast domain. A router is required to transparently convey the traffic between the VLANs . Modern switches provide this function internally; one then speaks of a layer 3 switch .

The superiority of VLANs compared to physical assignment to different subnets is based on the fact that a client can change from one VLAN to another at the coupling element (multilayer switch, router) without having to change a physical connection.

Connection of VLAN switches

If a VLAN extends over several switches, either a separate link (cable) is required for each VLAN, or so-called VLAN trunks (VLT) are used. The method corresponds to asynchronous multiplexing . A VLT is therefore used to forward data from the different VLANs over a single connection. Both individual ports and bundled ports (see link aggregation ) can be used for this.

VLAN types

Older VLAN-capable switches can only handle port-based VLANs that had to be statically configured. Only later did dynamic VLANs and proprietary tagged VLANs develop . Ultimately, the standardized tagged VLANs based on IEEE 802.1Q that dominate today emerged from the proprietary tagged VLANs .

Port-based VLANs

Port-based VLANs are the original form of VLANs. Manageable switches are used to segment a physical network port by port into several logical networks by assigning a port to a VLAN. Tags present in the frame are removed from the switch before it is forwarded. One speaks here of an untagged port. Port-based VLANs can also be expanded across multiple switches. Nowadays a trunk port (a port configured as tagged ) is used for this. In order to connect the networks segmented in this way if necessary, z. B. a router is used. Furthermore, they belong to the static VLAN configurations and, so to speak, form the opposite pole to the dynamic VLANs . A port can be configured as both tagged and untagged . This is e.g. This is the case, for example, when several devices (e.g. VoIP telephone and desktop PC) are connected via one port.

Tagged VLANs

The Ethernet data block format Ethernet-II according to IEEE 802.3 with 802.1Q VLAN tag, which is almost exclusively used today

The packet-based tagged VLANs differ from the older, tagless, port-based VLANs. The term tagged is derived from the English term material tags ( tags used to mark goods). Tagged VLANs are networks that use network packets that have an additional VLAN tag.

Tagging in VLANs is also used when VLANs are e.g. B. extend across multiple switches, such as trunk ports. The frames are marked here, which shows that they belong to the respective VLAN.

The tags add VLAN-specific information to the frame. This category includes VLANs based on IEEE 802.1Q , Shortest Path Bridging , Cisco's Inter-Switch Link Protocol (ISL) or 3Com's VLT (Virtual LAN Trunk) tagging. So that the VLAN technology according to 802.1q remains transparent for older computers and systems in a network, switches must be able to add and remove these tags as required.

In the case of port-based VLANs (i.e. packets that have no tag), a VLAN tag is usually added to forward a data packet via a trunk before it is fed into the trunk, which tag identifies the VLAN to which the packet belongs. The switch on the receiver side must remove this again. With tagged VLANs according to IEEE 802.1Q, on the other hand, the packets are tagged either by the end device (e.g. tagging-capable server) or by the switch at the feed port. Therefore, a switch can inject a packet into a trunk without any change. If a switch receives a frame with a VLAN tag according to IEEE 802.1q on a VLT port (trunk port), it can also forward it unchanged. Only the switch at the receiving port has to distinguish whether it is supplying a tagging-capable device (then the frame can remain unchanged) or whether it is a non-tagging-capable device that belongs to the current VLAN (then the tag must be removed ). To do this, the associated VLAN ID must be stored in the switch. Since, according to IEEE 802.1Q, all packets are marked with VLAN tags, a trunk must either be assigned all VLAN IDs that it is to forward, or it is configured to forward all VLANs. If packets without a tag are received on a trunk port, they can either be assigned to a default VLAN, depending on the configuration (the switch attaches the tag later), or they are discarded.

If a switch receives on one of its ports e.g. If, for example, packets without VLAN tags (also called native frames) are sent from an older device, the user has to attach the tag himself. A VLAN ID is assigned to the relevant port either by default or by management. The switch that delivers the packet must proceed in the same way if the target system cannot handle tags (the tag must be removed).

The automatic learning of the settings belonging to the VLTs (trunk ports) is standard today with most VLAN-capable switches. A switch must be able to handle mixed operation of packets that do not know and contain any tags as well as packets that already have tags. The VLTs are learned in the same way as the MAC addresses are learned: If the switch receives a packet with a VLAN ID, it first assigns the port to this VLAN. If it receives packets with different VLAN IDs at a port within a short period of time, this port is identified as a VLT and used as a trunk. Simple switches (without management options) usually form an additional native VLAN for all packets that do not contain tags. Such packages are usually left as they are. A trunk port is treated like a normal (uplink) port here. Alternatively, a default tag can be added.

In contrast to VLT, the term trunk is often used with a completely different meaning, see also bundling (data transmission) .

In general, security should no longer be counted among the tagged VLAN features. Switches can be compromised in numerous ways and must therefore always be classified as unsafe. But you can also start directly with the cabling. There are, for example, measuring terminals as accessories for professional network analysis devices that are externally connected directly to a cable and measure the low electromagnetic field. In this way, the entire data traffic running over this cable can be read and recorded completely unnoticed. In contrast, only strong encryption (e.g. with IPsec ), which some LAN cards implement directly in hardware, can help .

Assignment of a VLAN ID

Static VLANs

A VLAN configuration is permanently assigned to a port of a switch. It then belongs to a port-based VLAN , to an untagged VLAN, or it is a port that belongs to several VLANs. With static VLANs, the configuration of a port is fixed by the administrator. It does not depend on the content of the packets and, in contrast to dynamic VLANs, is fixed. This means that the end device can only communicate on a port with the assigned VLANs. If a port belongs to several VLANs, it is a VLAN trunk and is then usually used to extend the VLANs across several switches.

The ability to assign a port to multiple VLANs means that routers and servers can, for example, be connected to multiple VLANs via a single connection without having to have a physical network interface for each subnet. This means that a single device - even without a router - can offer its services in several VLANs without the stations of the different VLANs being able to communicate with one another.
These VLAN trunks must not be confused with the trunks in the sense of link aggregation , in which several physical transmission paths are bundled to increase throughput.

Dynamic VLANs

With the dynamic implementation of a VLAN, the association of a frame with a VLAN is determined on the basis of certain contents of the frame. Since all contents of frames can be manipulated practically at will, dynamic VLANs should not be used in security-relevant areas of application . Dynamic VLANs are in contrast to static VLANs . The affiliation can be based on the MAC or IP addresses , for example, on the basis of the protocol types (e.g. 0x809B Apple EtherTalk , 0x8137: Novell IPX , 0x0800: IPv4 or 0x88AD: XiMeta LPX ) or at the application level the TCP / UDP port numbers (port number 53: DNS , 80: HTTP , 3128: Squid Proxy ). In effect, this corresponds to an automated assignment of a switch port to a VLAN.

The affiliation can also be derived from the packet type and thus, for example, separate an IPX / SPX network from a TCP / IP network. This technique is no longer widespread nowadays, as TCP / IP has replaced all other protocols in many networks.

Dynamic VLANs can also be used, for example, to ensure that a mobile device always belongs to a specific VLAN - regardless of the network socket to which it is connected. Another possibility is to route a certain part of the data traffic such as VoIP for performance or security reasons (out of date) into a special VLAN.


  • Rolf-Dieter Köhler: On the way to multimedia networks .. VPN, VLAN technologies, data prioritization 1999, ISBN 3-931959-26-0
  • IEEE Std. 802.1Q-2003, Virtual Bridged Local Area Networks . 2003, ISBN 0-7381-3663-8 (English, [PDF; 3.5 MB ; accessed on November 5, 2016]).

Web links