VLANs Explained: Core Concepts, Implementation, and Practical Use Cases for Network Segmentation


2 views

VLANs (Virtual Local Area Networks) logically segment a physical network into multiple broadcast domains. Unlike traditional LANs that rely on physical separation, VLANs enable network partitioning at Layer 2 through software configuration.

// Example VLAN configuration on Cisco IOS
interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
!
interface GigabitEthernet0/2
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

Before VLANs, network segmentation required:

  • Physical separation with dedicated switches
  • Increased hardware costs
  • Inefficient use of switch ports

VLANs solve these problems by allowing:

  • Logical grouping of devices regardless of physical location
  • Improved security through isolation
  • Better traffic management and QoS implementation

While often used together, they operate at different layers:

VLAN (Layer 2) Subnet (Layer 3)
Switching domain IP addressing scheme
802.1Q tagging Subnet masks
MAC-based IP-based

SVIs (Switch Virtual Interfaces): Layer 3 interfaces that provide routing between VLANs

interface Vlan10
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0

Port Types:

  • Access ports: Carries traffic for single VLAN (untagged)
  • Trunk ports: Carries multiple VLAN traffic (802.1Q tagged)

Building a multi-department network with security zones:

# Python script to generate VLAN config (using netmiko)
from netmiko import ConnectHandler

switch = {
    'device_type': 'cisco_ios',
    'host': '192.168.1.1',
    'username': 'admin',
    'password': 'password'
}

connection = ConnectHandler(**switch)

vlans = [
    {'id': 10, 'name': 'Engineering'},
    {'id': 20, 'name': 'Finance'},
    {'id': 30, 'name': 'Guest'}
]

for vlan in vlans:
    commands = [
        f'vlan {vlan["id"]}',
        f'name {vlan["name"]}'
    ]
    connection.send_config_set(commands)

VTP (VLAN Trunking Protocol): Cisco proprietary protocol for synchronizing VLAN databases across switches. Modern networks often disable VTP due to security concerns.

Best Practices:

  • Always use explicit VLAN pruning on trunks
  • Implement separate management VLANs
  • Document VLAN-to-subnet mapping
  • Consider PVLANs for additional isolation

VLANs (Virtual Local Area Networks) are a method of logically segmenting a physical network into multiple isolated broadcast domains. They operate at Layer 2 (Data Link Layer) of the OSI model and provide network administrators with the ability to group devices together regardless of their physical location.

Before VLANs, network segmentation required physical separation - different switches for different departments. This was:

  • Costly (more hardware)
  • Inflexible (physical moves required recabling)
  • Inefficient (broadcast traffic flooded entire networks)

Here's a basic VLAN configuration example on a Cisco switch:


Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name Engineering
Switch(config-vlan)# exit
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# end

While often used together, they serve different purposes:

VLAN (Layer 2) Subnet (Layer 3)
Logical segmentation of broadcast domains Logical grouping of IP addresses
Uses MAC addresses Uses IP addresses
Configured on switches Configured on routers

Trunk Ports and Access Ports

Access ports carry traffic for a single VLAN, while trunk ports carry multiple VLAN traffic using 802.1Q tagging:


Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30

SVIs (Switch Virtual Interfaces)

SVIs provide Layer 3 routing between VLANs:


Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# no shutdown

VTP (VLAN Trunking Protocol)

VTP helps maintain VLAN configuration consistency across switches:


Switch(config)# vtp domain COMPANY
Switch(config)# vtp mode server
Switch(config)# vtp password secure123

Example network architecture for a small business:


VLAN 10 (Engineering): 192.168.10.0/24
VLAN 20 (Marketing): 192.168.20.0/24 
VLAN 30 (Guest): 192.168.30.0/24
VLAN 99 (Management): 192.168.99.0/24

This segmentation improves security, reduces broadcast traffic, and simplifies network management.