Virtual LAN (VLAN)

VLAN is a logical grouping of devices that breaks the physical boundaries among them. This means that the devices connected to different #Switch or in different network can still able to be treated as a single group. It abstracts the network grouping and allows hosts to be treated as a single group based on their business role.

We can apply access rules and provision services to the users of same or similar responsibilities without the need to change the topology of the network or changing the IP Address. Furthermore, VLAN can also create their own Broadcast Domain# without the help from Network Layer Network Device (modern #Switch and #Router). Basically, we could assign the hosts in a subnet# to be in the same VLAN. By using VLAN, we could have different broadcast domains even in a single switch so that broadcast flooding affects only those in the same grouping. If a link needs to handle more than one VLAN, #VLAN Trunking will be used.

We can configure VLAN statically# and dynamically (using Network Management System (NMS)#, grouping based on the Media Access Control Address (MAC) of the device).

Note: Avoid assigning devices into VLAN 1 as it is the default management interface for all switches which introduces several security risks as it is the default interface to send out advertisements of Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP). Change the default VLAN to any VLAN other than VLAN 1.

When it comes to deleting a VLAN, the best practice is to move the assigned port or the VLAN member interface to default VLAN 1 before the deletion. This way, the interface will still visible to the system after the deletion of VLAN, otherwise it will be assigned to none of the VLAN, and it is hard to track down those that are not.

Since VLAN practically isolates devices in different VLANs, there is a need of routing in order for one device to communicate with other device reside in different VLAN. A naive approach would be to have separate links for each VLAN connected to a Router, and we can see that it will not scale well. Instead, we could utilise the capability of a modern router to divide a physical interface into multiple logical interfaces. After that, define the VLAN Trunking# standard used and its VLAN number using the command encapsulation {standard} {vlan-number}, and its subsequent subnet network address for the VLAN.

Links to this page
  • VLAN Trunking

    In VLAN Trunking, a tag will assign to the frame to indicate their #Virtual LAN (VLAN) belonging which is handled by either a switch or a router. After the frame passed through a trunk link, the tag will be removed from the packet when it reaches the destination node or non-trunk link, usually a switch.

  • TRS2251 Chapter 9: VLANs
  • TRS2251 Chapter 8: Switching Technology
  • Switched LAN Architecture

    In a typical Local-Area Network (LAN)# network, it is designed as a Hierarchical Network# involving multiple Switches# with three layers: core layer, distribution layer, access layer. Access layer consists of end devices, and defines a basic configuration and constraint on them on network connection. Distribution layer is where we will define routing policies, Virtual LAN (VLAN)#, access control, broadcast domains, and access layer traffic aggregation or funnelling. Core layer should be capable of handling large amounts of traffic with high performance, this means that it needs to be highly available and redundant. For cost saving, we can collapse or combine distribution layer and core layer into one single layer.

  • Switch

    Switch is a #Network Device that can operates in either Data Link Layer# or Network Layer# (modern implementation). It is an intelligence Bridge, which provide superior throughput performance, more ports (lower per-port cost), high-speed connections, segmentation using Virtual LAN (VLAN)# or Broadcast Domain# (modern), and even routing (in the case of Multilayer Switch). This makes large-scale segmentation possible within the [Local-Area Network (LAN)](202207051554).

  • Spanning Tree Protocol (STP)

    Since each 202207061741# on a switch had to have its own root, it scales real bad with switches with a lot of VLANs. The alternative of it is 202207122011#.

  • Router

    The process of forwarding the packet from its received port to the outgoing port is called switching. Despite the naming, Router will immediately drop the packet when it can’t figure the destination in its routing table maintained by itself. Otherwise, it will simply modify the destination Media Access Control Address (MAC) (the next-hop, can be another Router or the final destination) in the packet without touching the IP Address which defines the final destination. Though the primary forwarding decision will be based on the Routing Table# or routing information, assuming there is a mapping of logical address to its interface or port. If there is no path defined in the routing table to where the packet should be forwarded to, Router will redirect it to a default route if set (usually 0.0.0.0 in IPv4 Address and ::/0 in IPv6 Address), or simply discards it and sends Internet Control Message Protocol (ICMP)# Unreachable message to the source. Additionally, we can divide a physical interface into at most 65,535 logical interfaces using the command interface {interface-name} {interface}.{subinterface}. This is particularly useful in Virtual LAN (VLAN) routing.

  • Multiple Spanning Tree (MST)

    MST, defined by 802.1s standard, is an alternative of #202207081637 that maps multiple 202207061741# with similar topologies to a single 202207081445# instance. This drastically reduces the overal number of spanning tree instances which improves the traffic load balancing and network recovery time, as the set-up of the instance can be CPU-intensive.

  • Hierarchical Network

    Networks could divide Router or Switch into several logical grouping#. In turn, this simplifies the routing updates as they will be confined within the grouping, and drastically reduces the traffic overhead. Notice its similarity to VLAN.

  • Cisco Switch Configuration

    To configure #Virtual LAN (VLAN) with Switch#, there is a need to set up an IP Address, subnet mask, and default gateway (router to direct switch management traffic for remote access such as Telnet and Secure Shell (SSH)) in a switch. The configuration could be done in IOS# with the command vlan {number} in Interface Configuration Mode follows by the IP address assigned to the VLAN. We can attach a name to a VLAN by simply running the command name {vlan-name} right after vlan {number} command in Global Configuration Mode. Define the VLAN membership mode for the assigned interface (port) as access (see Dynamic Trunking Protocol (DTP)# for other possible modes) with switchport mode {mode} and assign VLAN to it by switchport access vlan {number} in the Interface Configuration Mode.

  • 80/20 Rule

    80/20 Rule is a networking design based on traffic flow patterns to have 80% of the traffic contained in a Virtual LAN (VLAN)# whereas the remaining 20% crosses outside the VLAN networks. The rule has become obsolete as the network grows. The modern alternative to it is 20/80 Rule#.

  • 20/80 Rule

    20/80 Rule is a networking design based on traffic flow patterns to have 20% of the traffic contained in Virtual LAN (VLAN)# and the remaining 80% outside the VLAN.

#networking