Logical Network Segments with VLANs
It is not uncommon to segment a large network into a series of smaller networks to simplify administration and to separate roles for security purposes. Segmenting a network also helps with performance by reducing the broadcast traffic on the entire network. Typically, approaches to segmenting a network into units revolved around grouping segments according to physical proximity (for example, each floor of a building might be a network segment) or by IP subnet. While these approaches can accomplish many of the goals of segmenting traffic, they cannot address all use cases adequately. For example, suppose you want all of Human Resources to share the same network but some of them are on the 3rd floor, some are on the 5th floor and some are located at the office building across town. You now have a situation where you need to segment the network across several switches, routers and physical locations. Fortunately, VLANs can do just that.
A VLAN, simply stated, is a broadcast domain. In this regard, they really are no different than a subnet. A device on one VLAN cannot communicate with a device on another VLAN without passing through a router. Where VLANs differ from a subnet, however, is that a VLAN is defined on a port by port basis at the switch. Most managed layer 2 switches are capable of defining VLANs.
Since VLANs are defined on a port by port basis, you can assign the ports on your switch to different VLANs. If your switches are interconnected by a trunk link, you can have VLANs span different switches. In our earlier example, if the switch on the 3rd floor and the switch on the 5th floor are connected by a trunk link, we can assign the HR computes on each floor to the same VLAN, even though they are on different switches. As we mentioned earlier, they will not be able to communicate with another VLAN on the same switch without passing through a router. It is feasible that a device on port 2 on one VLAN may go out to a router and back to port 1 on the same switch to communicate with a device on a different VLAN. Layer 3 switches include routing functionality. As such they are popular switches for defining and routing between VLANs.
In our earlier example though, we had some HR people at a remote site. We know that broadcast traffic cannot pass through a router which is why subnetting is often seen as a secure way to segment a network. However, in this case, we want the remote HR people to be on the same network segment as the rest. VLANs can accomplish this through VLAN tagging. There are 2 protocols for performing this tagging. One is a proprietary protocol developed by Cisco and the other is an IETF standard. Tagging adds information about the VLAN to the ethernet frame and allows a router to connect various VLANs. This makes VLANs more robust than simple subnetting.
VLANs are an attractive alternative to subnetting for segmenting a network. VLANs are defined at the switch level on a port by port basis which provides a greater degree of flexibility for network administrators. Additionally, tagging allows routers to transport packets between various VLANs by adding VLAN information to the ethernet frame.