Introduction to VLANs

Understanding VLAN: Enhancing Network Security and Performance

I. Introduction

VLAN is logical segmentation of a network that allows for separate broadcast domains within the same physical network. It increases network performance by reducing the broadcast domain. Furthermore, VLANs can improve network security by isolating traffic and controlling access to sensitive information. However, since it has been shown that VLANs can enhance traffic flow during file transfers and email transfers (email and FTP services), the problems go beyond security. The need for network broadcasts like ICMP, ARP, and DHCP is decreased when traffic is separated. Thus, the traffic performance is getting better.

The security feature of the VLAN is crucial for preventing unauthorised access to the network. VLANs help in organising network resources and users by grouping them based on their functions or departments. This makes it easier to manage and troubleshoot network issues, as well as allocate bandwidth and resources more efficiently.

Overall, VLANs play a crucial role in enhancing network efficiency, security, and performance. By implementing VLANs, organisations can optimise their network infrastructure to meet their specific needs and ensure a secure and smooth operation of their network systems.

II. How VLANs work

Network traffic segmentation, as previously mentioned, enhances network security and performance by separating various data types and limiting access between segments. To prevent unauthorised access to sensitive data, we can assign a specific VLAN ID to devices. There are many available numbers, giving versatility in managing VLAN infrastructure. The VLAN ID can range from 1 to 4094.

VLANs can be routed using the trunk protocol 802.1q standard. The trunk protocol enables a network device (router or switch) to transfer multiple VLAN traffic over a single connection. This is because the trunk protocol allows for tagging of VLAN traffic. It means that an additional 4 bytes of data are added to Ethernet frames to determine which VLAN the traffic belongs to and prioritise packets depending on their VLAN tags.

Routers and multilayer switches are the two primary methods available to us for directing VLAN packets between virtual networks. A popular method using a router is called Router on a Stick (ROAS). This method uses a single router interface with allocated virtual sub-interfaces for each VLAN. This allows the router to handle inter-VLAN communication by routing packets between the sub-interfaces internally. This approach is cost-effective and efficient for small to medium-sized networks. Evidently, there is a possibility to assign each router's physical interface to a separate VLAN with a separate link. Nevertheless, this approach is not advised in any way. It will result in higher managerial overhead, complexity, and resource costs.

III. Types of VLANs

There are three approaches to assigning VLANs to the network devices. The most popular method is port-based VLAN, commonly used in networks due to its simplicity and ease of configuration. By assigning ports to specific VLANs, network administrators can easily manage and control the flow of traffic within their network.

MAC-based VLANs, on the other hand, are based on the MAC address of the device, allowing for more granular control over which VLAN(s) belongs to the device. Lastly, protocol-based VLANs ensure that VLANs are assigned to the device based on the protocols they are using. This allows for even more specific and customised VLAN assignments.

Each method has its own disadvantage and can be chosen based on the specific needs of the network. For example, port-based VLANs can be inflexible, when network topology or device requirements are changing frequently. A MAC-based VLAN can be too complex to manage in large networks with many devices. Next, protocol-based VLANs can require additional hardware or software.

IV. Implementing VLANs

Prior to assigning a VLAN to the device, we need to create a VLAN on the switch. We use two commands: the first to create a VLAN ID and the second command to define the VLAN's name.

SW-Core(config)#vlan 10

SW-Core(config-vlan)#name Engineering

Having VLANs on connected switches, we can use VLAN Trunking Protocol (VTP) to automatically propagate VLAN information in the network. This helps maintain consistency and reduce manual configuration errors across multiple devices. VLAN Trunking Protocol can simplify the management of VLANs by allowing changes to be made on one switch and automatically propagated to others in the entire local network.

V. Best practices for VLAN security

Monitoring VLAN is crucial for understanding network behaviour, identifying potential issues, and maintaining optimal performance. By combining port mirroring, protocol analysers, SNMP, and flow-based tools, you can get a comprehensive view of VLAN traffic. 

Implementing access control lists (ACLs) is essential for restricting unauthorised access to VLANs and preventing security breaches. Regularly updating VLAN configurations helps to ensure that any changes in network requirements or security policies are properly reflected in the VLAN setup. 

VI. Real-world use cases of VLANs

As proved above, VLANs (Virtual Local Area Networks) are a powerful tool for segmenting networks into logical subnets. This segmentation can be used to isolate different groups of users, such as guests and employees, enhancing security and performance. For example, a real-world scenario is when a quest and employee networks are designed to be separate.  Therefore, the quest VLAN should be separate from the rest of the company network. 

VII. Conclusion

VLANs are logical segmentation of a network that allows for separate broadcast domains within the same physical network, increasing network performance and improving security. They help organise network resources and users by grouping them based on their functions or departments, making it easier to manage and troubleshoot network issues. VLANs can be routed using the trunk protocol 802.1q standard, and there are three types of VLANs: port-based, MAC-based, and protocol-based. VLAN Trunking Protocol (VTP) can automatically propagate VLAN information in the network. 

Monitoring VLANs is crucial for understanding network behaviour, identifying potential issues, and maintaining optimal performance. Regularly updating VLAN configurations ensures changes in network requirements or security policies are properly reflected in the setup.

However, if VLANs are not properly configured or monitored, they can lead to network congestion and security vulnerabilities. For example, if a VLAN is misconfigured and allows unauthorised access to sensitive data, it could result in a data breach.