John Oden. You probably first learned about a Local Area Network (LAN) early in your journey into networking. A LAN is a group of devices that are connected to each other. Figure 1 shows a network for an organization that has several departments.
Figure 1: A typical local area network (LAN)
Problems with LANs
Although this arrangement works well in that all devices can communicate with each other, there will be many problems as the network grows. What if the security policy of the organization stipulates that sensitive data stored on computers within the Accounting department should be kept secure from all other departments? This design makes it difficult to enforce this policy.
As the network grows, broadcast traffic will also be a problem. Are the Marketing department’s computers really required to process network broadcasts from computers in Accounting and Human Resources trying to communicate with printers? They don’t. However, this design doesn’t allow us to isolate broadcast traffic.
Figure 2 Multiple LANs
One way to resolve these issues is to divide our network into multiple networks, as shown in Figure 2 We have created additional broadcast domains to isolate broadcast traffic within each department by connecting each department’s devices to their own switch. We also addressed security concerns by making certain that computers in one department can’t access sensitive data from another department. Our security concerns may have been addressed too well. Computers in one department cannot access computers in another, while Marketing staff cannot access printers. This is not ideal. Also, we would now have to buy, install, and maintain three pieces of hardware that might be needed.
Introduction to the VLAN
The Virtual Local Area Network (or VLAN) is a solution to these and many other problems. VLAN technology is part of the feature sets of many modern Ethernet switches. VLANs behave in the same way as LANs, but have more flexibility. VLAN technology allows you to subdivide one physical switch into multiple logical switches. VLANs can be implemented by using the appropriate switch command commands to create VLANs and assign specific switches interfaces to the desired VPN.
Figure 3: VLAN Implementation
Figure 3 shows a network that has VLANs. This network is logically identical to Figure 2, but only one physical switching is needed. VLAN 10 has been assigned as the switch interface for devices in Accounting. VLAN 20 is used by devices in Marketing. VLAN 30 is used by the HR department.
VLANs are implemented by switches by adding a VLAN tag on Ethernet frames that enter the switch. The VLAN tag includes the VLAN ID and other information. This information is determined by the interface from where the frame enters the switch. VLAN tags are used by the switch to ensure that every Ethernet frame is restricted to the VLAN to it’s belong based on the VLANID contained in the VLAN Tag. VLAN tags are removed when frames leave the switch and reach their destination.
Here’s the configuration of the Cisco Catalyst2960 switch that creates the VLAN configuration shown at Figure 3.
vlan 10 name Actgvlan 20 name Mktvlan 30 name Hr!interface FastEthernet0/1switchport access vlan 10switchport mode access!interface FastEthernet0/2switchport access vlan 10switchport mode access!interface FastEthernet0/3switchport access vlan 10switchport mode access!interface FastEthernet0/4switchport access vlan 20switchport mode access!interface FastEthernet0/5switchport access vlan 20switchport mode access!interface FastEthernet0/6switchpor