Lab 5

Virtual Local Area Network (VLAN)

What is VLAN
• VLAN is a logical grouping of networking devices. VLAN can span over the multiple
physical locations.

• When we create VLAN, we actually break large broadcast domain in smaller broadcast
domains.
• Consider VLAN as a subnet. Same as two different subnets cannot communicate with
each other without router, different VLANs also requires router to communicate.

Advantage of VLAN
VLAN provides following advantages 

• Solve broadcast problem

• Reduce the size of broadcast domains
• Allow us to add additional layer of security
• Make device management easier
• Allow us to implement the logical grouping of devices by function instead of location
Solve broadcast problem:

• When we connect devices into the switch ports, switch creates a single broadcast
domain for all ports. Switch forwards a broadcast frame from all possible ports.

• In a large network having hundreds of computers, it could create performance issue.

• Of course we could use routers to solve broadcast problem, but that would be costly
solution since each broadcast domain requires its own port on router.

• Switch has a unique solution to broadcast issue known as VLAN. In practical

environment we use VLAN to solve broadcast issue instead of router.

Reduce the size of broadcast domains:

• VLAN increase the numbers of broadcast domain while reducing their size.
• For example we have a network of 100 devices. Without any VLAN implementation we
have single broadcast domain that contain 100 devices.
• We create 2 VLANs and assign 50 devices in each VLAN. Now we have two broadcast
domains with fifty devices in each.
• Thus more VLAN means more broadcast domain with less devices.
Allow us to add additional layer of security:

• VLANs enhance the network security.

• In a typical layer 2 network, all users can see all devices by default. Any user can see
network broadcast and responds to it. Users can access any network resources located
on that specific network. Users could join a workgroup by just attaching their system in
existing switch.
• This could create real trouble on security platform. Properly configured VLANs gives us
total control over each switch port and users.
• With VLANs, you can control the users from gaining unwanted access over the
resources. We can put the group of users that need high level security into their own
VLAN so that users outside from VLAN can’t communicate with them.

Make device management easier:

• Device management is easier with VLANs.

• Since VLANs are a logical approach, a device can be located anywhere in the switched
network and still belong to the same broadcast domain.
• We can move a user from one switch to another switch in same network while keeping
his original VLAN.
Allow us to implement the logical grouping of devices by function instead of location:

• VLANs allow us to group the users by their function instead of their geographic
locations.
• Switches maintain the integrity of your VLANs. Users will see only what they are
supposed to see regardless what their physical locations are.
Example:

• Company has three offices. All offices are connected.

• Company has three departments: Development, Production and Administration

• With default configuration, all computers share same broadcast domain. Development
department can access the administration or production department resources.
Example:
• With VLAN we could create logical boundaries over the physical network.
• Assume that we created three VLANs for our network and assigned them to the
related computers.
- VLAN Admin for Administration department
- VLAN Dev for Development department
- VLAN Pro for Production department
• Physically we changed nothing but logically we grouped devices according to their
function. These groups [VLANs] need router to communicate with each other. Logically
our network look likes following diagram.

• With the help of VLAN, we have separated our single network in three small networks.
These networks do not share broadcast with each other improving network
performance. VLAN also enhances the security. Now Development department cannot
access the Administration and Production department directly. Different VLAN can
communicate only via Router where we can configure wild range of security options.
VLAN Membership:
VLAN membership can be assigned to a device by one of two methods:
• Static or Dynamic
These methods decide how a switch will associate its ports with VLANs.

Static
• In this method we manually assign VLAN to switch port. VLANs configured in this way
are usually known as port-based VLANs.
• Assigning VLANs statically is the most common and secure method.
• It is pretty easy to set up and supervise.
• As any switch port that we have assigned a VLAN will keep this association always
unless we manually change it. It works really well in a networking environment where
any user movement within the network needs to be controlled.

Dynamic:
• VLANs are assigned to port automatically depending on the connected device.
• In this method we have configure one switch from network as a server. Server contains
device specific information like MAC address, IP address etc. This information is
mapped with VLAN.
• Switch acting as server is known as VMPS (VLAN Membership Policy Server). Other
switches work as client and retrieve VLAN information from VMPS.
• Dynamic VLANs supports plug and play movability. For example if we move a PC from
one port to another port, new switch port will automatically be configured to the
VLAN which the user belongs. In static method we have to do this process manually.
VLAN Connections:
During the configuration of VLAN on switch port, we need to know what type of
connection it has. Switch supports two types of VLAN connection:
Access link or Trunk link

Access link:
• Access link connection is the connection where switch port is connected with a device
that has a standardized Ethernet NIC.
• Standard NIC only understand IEEE 802.3 or Ethernet II frames.
• Access link connection can only be assigned with single VLAN.

Trunk link:
• Trunk link connection is the connection where switch port is connected with a device
that is capable to understand multiple VLANs.
• Usually trunk link connection is used to connect two switches or switch to router.
• VLAN can span anywhere in network, this is happen due to trunk link connection.
• Trunking allows us to send or receive VLAN information across the network.
• To support trunking, original Ethernet frame is modified to carry VLAN information.
• Trunk tagging: In tagging switch adds the source port’s VLAN identifier to the frame so
that other end device can understands what VLAN originated this frame
• Switch supports two types of Ethernet trunk tagging methods:
- ISL [ Inter Switch Link, Cisco’s proprietary protocol for Ethernet ]
- Dot1q [ IEEE’s 802.1Q, protocol for Ethernet]
Checking existing VLANs:
Creating VLAN statically:
Assigning interfaces to created VLANS.:
Assigning interfaces to created VLANs (Multiple interfaces assigning):