What Is Virtual Local Area Network (VLAN)moriarty
Virtual Local Area Network (VLAN) technology logically divides a physical LAN into multiple broadcast domains, each of which is called a VLAN.
Each VLAN functions as a separate broadcast domain, with devices in the same VLAN able to directly communicate with one another, while those in different VLANs cannot. As a result, broadcast packets are confined within a single VLAN.
Why Do We Need VLAN?
Early Ethernet allows data communication over shared media through Carrier Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a large number of hosts, collision becomes a serious problem and can lead to broadcast storms. This degrades network performance or even causes a complete breakdown. Using Layer 2 devices to connect LANs can restrict data transmission within a LAN. However, this resolves only the conflicts.
This is where VLAN technology comes in. VLAN technology allows a physical LAN to be divided into multiple logical LANs (multiple VLANs). Each VLAN functions as a separate broadcast domain, with hosts in the same VLAN able to directly communicate with one another, while those in different VLANs cannot. As a result, broadcast packets are confined within a single VLAN. The following figure shows an example.
VLAN technology offers the following benefits:
Confines each broadcast domain to a single VLAN. This conserves bandwidth and improves network processing capabilities.
Enhances LAN security. Frames in different VLANs are separately transmitted so that hosts in a VLAN cannot directly communicate with those in another VLAN.
Improves network robustness. A fault in one VLAN does not affect hosts in another VLAN.
Allows for flexible virtual groups. VLAN technology allows hosts in different geographical locations to be added to different groups, simplifying network construction and maintenance.
VLAN vs Subnet
A network can be divided into multiple subnets to conserve IP address space and support flexible IP addressing.
Similar to a VLAN, a subnet can also isolate hosts. Hosts in different subnets cannot communicate with each other. The following figure shows the comparison between VLANs and subnets.
The companies connect to different interfaces of the same Layer 2 switch and access the Internet through the same egress router.
Networking diagram of interface-based VLAN assignment
To isolate the services of different companies and ensure service security, assign interfaces connected to the company networks to different VLANs. In this way, each company has a virtual router, and each VLAN works as a virtual work group.
In the following figure, a company has two departments assigned with fixed IP network segments. The employees often move between locations, but the company requires that their network resource access rights remain unchanged.
Networking diagram of subnet-based VLAN assignment
To ensure that employees retain access to network resources after changing locations, assign VLANs based on subnets on Switch_1. In this case, servers on different subnets are assigned to different VLANs to isolate data flows for accessing application services on the servers, improving security.
Inter-VLAN Layer 3 Communication
In the following figure, departments 1 and 2 of a small-scale company belong to VLAN 2 and VLAN 3, respectively, and connect to a Layer 3 switch (Switch_3) through Layer 2 switches. Packets exchanged between the two departments need to pass through the Layer 3 switch.
Inter-VLAN Layer 3 communication through VLANIF interfaces
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently transmit VLAN frames to Switch_3, and configure a VLANIF interface for each VLAN on Switch_3 to allow communication between VLAN 2 and VLAN 3.
IEEE 802.1Q, often referred to as Dot1q, defines the VLAN implementation standard for Virtual Bridged Local Area Networks. Compared with a standard Ethernet frame, a VLAN-tagged frame has an extra 4-byte VLAN tag.
Link-type Negotiation Protocol (LNP) is used to dynamically negotiate the link type of an Ethernet interface. The negotiated link type can be accessed or trunk.
- When the link type on an Ethernet interface is negotiated as access, the interface joins VLAN 1 by default.
- When the link type on an Ethernet interface is negotiated as the trunk, the interface joins VLANs 1 to 4094 by default.
The 802.1Q-in-802.1Q (QinQ) protocol is known as an amendment to the IEEE 802.1ad protocol. It expands VLAN space by adding an additional 802.1Q tag to 802.1Q-tagged packets and allows packets in a private VLAN to be transparently transmitted over a public network.
A packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and a private VLAN tag.
What Are Disadvantages of VLAN in Cloud-based Scenarios
Cloud computing, relying on its high system utilization rate, low manpower, and management costs, and flexible and expandable performance advantages, has already become the current new form of enterprise IT construction. As a core technology of cloud computing, server virtualization has a wide range of applications.
VLAN is a traditional network isolation technology. In accordance with standards, a maximum of about 4096 VLANs are available, which cannot meet the tenant isolation requirements of large data centers. In addition, each VLAN is a small and fixed Layer 2 domain, and as such is not suitable for large-scale dynamic virtual machine (VM) migration.
To solve this problem, a Virtual eXtensible Local Area Network (VXLAN) was introduced. Defined in RFC, VXLAN is a Network Virtualization over Layer 3 (NVO3) technology that uses MAC-in-User Datagram Protocol (MAC-in-UDP) encapsulation. VXLAN overcomes the preceding disadvantages of VLAN. VXLAN uses the 24-bit VXLAN Network Identifier (VNI) field to identify up to 16 million tenants, compared to a maximum of 4096 tenants in VLAN. VXLAN establishes a virtual tunnel between two switches across the basic IP network of the data center and virtualizes the data center network into a large Layer 2 virtual switch to meet the requirements of large-scale dynamic VM migration.