Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK

Home

/
 ... / 

Resources

/
 ... / 

Blog

/
 ... / 
VLAN: Virtual LAN

VLAN: Virtual LAN

16.02.2025

Currently, a local physical network or LAN (Local Area Network) is mainly composed of computers and linking equipment (mainly switches and routers), capable of establishing communication between devices.

Sometimes, it is necessary to divide the local network into segments to facilitate its administration, and in this sense, it is desirable not to have to make major changes to the physical infrastructure of the network.

A VLAN, an acronym for virtual LAN or Virtual Local Area Network, is a technology for creating independent logical networks within the same physical network. They are useful for reducing the information distribution domain, and help in network management, separating logical segments (the offices or departments of an organization, for example) that should be connected only to each other.

A VLAN consists of two or more devices, which behave as if they were connected to the same switch, even though they are physically linked to different switches on the same local area network.

Each individual VLAN has its own broadcast domain, so that if one device sends a broadcast within the VLAN, all other participants in that segment (and only those) receive the message. Broadcast messages are not transmitted beyond the boundaries of the virtual network.

Use

In a standard OSI Reference Model Layer 2 network, all devices connected to a switch are members of the same broadcast domain, and multiple broadcast domains can only be physically separated by routers.

As networks scale (grow), multiple broadcast domains need to be introduced to segment traffic for performance, security or logistical reasons.

Without the use of VLANs, each growing network segment would require its own infrastructure, with one or more routers managing communication between each segment. This way, VLANs allow network administrators to divide a physical network into separate broadcast domains.

VLANs are identified by a number between 0 and 4095, with VLAN 1 set as the default in any network. In addition, each port (network interface on a switch) can be assigned to be a member of a VLAN, and thus receive and send traffic on that VLAN.

On a switch, traffic that is sent to a network interface that is a member of VLAN 100, for example, can be forwarded to any other member of this own VLAN, and can also travel through a trunk port (inter-switch connections) to another switch, and forwarded to all VLAN 100 interfaces on that new switch. However, traffic will not be forwarded to ports that are in a different VLAN.

This essentially allows a network administrator to logically split a switch, allowing multiple broadcast domains to coexist on the same hardware, but maintaining the advantages of isolation, security and performance, as if completely separate switches were used.

Since VLANs imply a Layer 2 process, Layer 3 routing is required to enable communication between VLANs. This happens in the same way that a router would segment and manage traffic between two subnets of different switches.

To implement a VLAN, switches must support this technology, so compatible VLAN-enabled devices are often referred to as manageable switches.

VLAN Types

Virtual Local Area Networks can be fundamentally classified as follows:

  • VLAN by Port: specifies which switch ports belong to the VLAN whose members will be the devices connected to those ports. It does not allow user mobility, and if this were the case, a new connection port would have to be added to the VLAN.
  • VLAN by MAC Address: devices are assigned to a VLAN based on their MAC address. It has the advantage that the switch does not have to be reconfigured if the user changes its location, i.e. connects to a different port on that or a different device. The main inconvenience is that members have to be assigned one by one, and with many terminals it can be cumbersome.
  • VLAN by Protocol: each VLAN is determined by the type of protocol of the data frame. For example, one VLAN is associated with the IP protocol, another with IPX etc.
  • VLAN by Applications: a VLAN is created for each application: FTP, multimedia streams, e-mail etc. Additionally, VLAN assignment can be based on a combination of factors such as ports, MAC addresses, subnet, time of day, access mode, equipment security conditions, and other characteristics.

VLAN Assignment

The two most common approaches to assigning membership to a VLAN are:

  • Static VLANs: also known as port-based VLANs. Membership is created by assigning ports (switch interface) to a VLAN. When a device connects to a network, i.e. to a switch port, it automatically assumes the VLAN of that port. If the user changes ports, the network administrator must manually assign the new port to the VLAN for that new connection.
  • Dynamic VLANs: created with the use of software. With a VLAN policy server (VMPS: VLAN Management Policy Server), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port, or the username used to log in to the device.

Implementation Benefits

  • Flexibility: In an organization, when changing physical location of a device connected to the network, a VLAN allows configuration directly on the switch, and the network administrator has the flexibility to assign the new connection interface to the required VLAN.
  • Security: with a VLAN, the broadcast domain is limited to certain workstations, so that the broadcast only reaches those to whom the information is addressed. It is important to clarify that VLAN configuration is not a sufficient security measure. If the virtual networks and the local area network on which the VLANs are based are not protected by any security measures (such as encryption, for example), it is possible to access the data streams.
  • Performance: by reducing the broadcast domain, better performance is also achieved, so that broadcast messages do not have to cross the entire network. With a VLAN, unnecessary bandwidth overhead is minimized.
  • Order: VLANs connect logical groups of computers to each other, which facilitates organization. In an enterprise network, for example, sometimes users belong to a logical executive group, but their workstations are not in the same physical location, and may even be in different rooms, floors or buildings. As a VLAN can group them, the work is made easier and more efficient.
  • Price: It is possible to set up several separate LANs that can be connected to each other via routers instead of several VLANs, so that communication from one network to another is also possible. However, this would involve high costs compared to the implementation of VLANs. In addition, installing parallel networks takes a long time to implement.

Differences between VLAN and VPN

A VPN (Virtual Private Network) provides a secure method of connecting to a private network through an unsecured public network such as the Internet. The data sent over the public network is encrypted to maintain security, and only authenticated users can get access. Generally speaking, a VPN tunnel is created between a device outside the network and a computer located at the edge of the local network, which will be responsible for encapsulating (encrypting) and decrypting the exchanged data packets.

A VLAN helps to logically group workstations on the same network, which may have different physical locations, while a VPN is related to remote access to an organization's network.

A VLAN is basically a way to logically separate a local network, without physically segregating it with several routers, whereas a VPN is used to connect two points in a secure and encrypted tunnel, even if they do not belong to the same network.

A VPN provides security for data exchanged while in transit, so that if it is intercepted it cannot be revealed. A VLAN does not involve any encryption technique, but is only used to divide a network logically, primarily for management and security purposes.

VLANs can be understood as a group of devices that communicate with each other as if they were connected to the same switch, even if they are not, while VPNs provide a secure method using data encryption to connect to a private network from remote locations, usually over the Internet.

In general, a VLAN can also be understood as a subset of a VPN, since VPNs also allow the creation of a smaller subnet, using the devices of a larger underlying network.

Article 41 - VLAN.jpg

Blog

Blog
Proxy
25.03.2025
Generally, a proxy server is a device that intercepts network connections made from a client to a destination server. The best known basic meaning of the word proxy is: function of something that acts as a substitute for something else.
Blog
The Underworld of the Dark Web Economy: How Cybercrime Operates
15.03.2025
We often focus on how to protect our information but rarely discuss what happens when it gets stolen or when we fall victim to a cyberattack. This is where the dark web comes in — an anonymous marketplace where cybercriminals trade stolen data for profit
Blog
Cybersecurity Common Nouns: A Guide for Learning the Basics (Part 2)
05.02.2025
In our first part of this guide, we covered a range of common terms fundamental to understanding cybersecurity. However, due to the always-changing nature of the field, there are still many essential terms left to explore.