LearnIT: Virtual LANs

What is a virtual LAN? This guide explains the basics in one easy to read format.












Institute of Electrical and Electronics Engineers




layer 2


layer 3


load balancing




MAC address


ms or millisecond


OSI model


















Take a QUIZ


Learn IT in ten easy steps

Directions:</> Read steps 1-8 and their related links. Use the glossary to look up any terms you do not know. When you're done, go to step 10 and take a quiz to see how much you've learned!

1. What is a virtual LAN?

A virtual (or logical) LAN is a local area network with a definition that maps workstations on some other basis than geographic location (for example, by department, type of user, or primary application). The virtual LAN controller can change or add workstations and manage load balancing and bandwidth allocation more easily than with a physical picture of the LAN. Network management software keeps track of relating the virtual picture of the local area network with the actual physical picture.

2. What are the key features of VLAN?

The benefits of a VLAN include the ability to share information and resources across locations as if they were all under one roof. As a result of this, businesses can operate more efficiently with improved productivity. Site-to-site VPN is frequently used to implement VLAN with the added benefit of strong security. There are two fundamental limitations of VLANS: performance and management costs.

3. Can you explain these limitations?

In regard to performance, local area networks typically operate at 100 Mbps with latencies of less than 5 ms. On the other hand, wide area networks typically connect at 1.5 Mbps or less with latencies averaging around 100 ms. So, a VLAN will not perform as well as a local network. This is generally not a problem, but can be if applications are chatty (i.e., send a lot of small messages back and forth just to accomplish one task) or require a lot of bandwidth (i.e., video streaming). So, when designing a VLAN, one must take care to provision enough bandwidth to accommodate the applications being serviced.

In regard to management costs: A VLAN is a wide area network and typically requires additional security such as that provided by IPsec and PKI. The need to support geographically dispersed locations and extra security can increase overhead. Basically, it's much more complex than connecting computers together in the same building as would be the case with an ordinary LAN.

Related Links:

In this article, Chris Partsenidis delves into VLAN setups, including memberships, communication, trunking and Virtual Trunk Protocol.

Partsenidis offers advice to SearchNetworking.com members.

"Designing Switched LAN Internetworks" from Cisco provides a comprehensive look at VLANs.

ThisCisco Press chapter download provides a thorough look at methods for configuring, creating, and configuring VLANs on a switch.

4. Are there standards for VLANs?

Yes.  The standard 802.1q defines the operation of Virtual LAN (VLAN) Bridges that permit the definition, operation and administration of Virtual LAN topologies within a Bridged LAN infrastructure.  802.1v is the proposed supplement that will benefit users of multi-protocol LANs by permitting them to specify VLAN structures suitable for each protocol present in a LAN, and removing the need for a non-standard relay function between VLANs.

Related Links:

Read about "802.1Q - Virtual LANs" in this official IEEE document.

Read about "802.1v - VLAN Classification by Protocol and Port" in this official IEEE document.


4.  I'm confused -- Do VLANs operate at layer 2 or layer 3?

Virtual LANs operate at layer 2 of the OSI model. However, a VLAN is often configured to map directly to an IP network, or subnet, which gives the appearance it is involved in layer 3.

5. How are VLANs configured? 


VLANs can be static, dynamic, or port-centric and there are two methods of establishing a VLAN: frame-tagging and frame-filtering.

Static VLANs are used most in today's networks and are also the most secure. With Static VLANs the VLAN membership is assigned to a port on the switch, rather than the MAC address of the device connected to the specific port.

Dynamic VLANs are more rare and less secure. The VLAN membership is assigned to the MAC address of the host or device. This means that when a host is connected to any port on a switch that's configured to support VLAN, the switch will lookup its internal table and find out which VLAN the particular MAC address is part of and automatically assign the host to the appropriate VLAN.

In most cases, all switches that support VLANs will use the IEEE 802.1q method of frame tagging. Frame tagging is a way of keeping track of users and frames as they travel through the switching fabric of a switch. It's like a 'tag' that's stuck on each frame in order to identify its VLAN membership.

If you cascade two switches together (as you are most probably doing,) they will use frame tagging only through their special backbone connectors (found in stackable switches.) This 'tag' is removed before it exits the switch port to find its way to the destination pc or device.

This also means that if you tried to cascade your switches hoping that the VLAN would work for both, then it would most probably fail.

In order to cascade two switches together for a VLAN, they must support 'Trunk Links' where the above mentioned 'tags' will be sent through a port of the first switch, into the port of the second switch.

6. Will a VLAN break apart a network to secure the PC's connected? For example, will someone be able to see another computer on a different VLAN?

When implementing a VLAN into a network, it will break the network into two or more separate networks. Hosts on one VLAN network are not able to access hosts on another, even though they might be using the same switch. If you need to have the two VLANs communicating between each other, you need to install some kind of router that will route packets from one VLAN to another.

You should also know that if a broadcast is sent on a VLAN, it will not be propagated onto the other VLANs, even if they exist on the same switch. I am noting this because most people know that a switch will send a broadcast out of all its ports, but this is not the case when you configure VLANS on the switch.

7. How easily can a VLAN be set up to support DHCP?

Just think of each VLAN as a separate network. If you wish to support DHCP, all you need is a DHCP server that will exist in each VLAN (network). The easiest way would be to install a DHCP server and have multiple network cards installed, where each network is connected to a specific VLAN.

 8.  What about security?

VLANs provide security in two ways:

High-security users can be grouped into a VLAN, possibly on the same physical segment, and no users outside of that VLAN can communicate with them.

1.      Because VLANs are logical groups that behave like physically separate entities, inter- VLAN communication is achieved through a router. Thus, all the security and filtering functionality that routers traditionally provide can be used.


Related Links:

Cisco offers this white paper, "Virtual LAN Security Best Practices"https://www.bitpipe.com/


9. VLAN Words-to-Go Glossary:

Browse VLAN vocabulary in this handy printable glossary.

10. Self-assessment:

After you've looked at the glossary, quiz yourself to see what you've learned about virtual LANs.


Dig Deeper on Network infrastructure

Unified Communications
Mobile Computing
Data Center