What is a VLAN?
According to Wikipedia, a VLAN, an acronym for virtual LAN (Virtual Local Area Network), is a method to create independent logical networks within the same physical network. The IEEE 802.1Q protocol is responsible for the labeling of the frames that is immediately associated with the VLAN information.
What does this mean? Well, it’s simple, it’s about logically dividing a physical network, you’ll understand it better with the following example:
Imagine a company with several departments in which you want them to be independent, that is, they can not exchange data through the network. The solution would be to use several switches, one per department, or to use a switch logically divided into small switches, that is precisely a VLAN. We already have the different departments separated, but now we need to give them access to services like the internet, the different servers, and more.
For this, we have two options:
- Use a switch or layer 3 and 4 switch, that is, with the ability to “route” the different VLANs to a port.
- Or use a firewall with VLAN support, that is, in the same physical interface, it allows to work with several VLANs as if it had several physical interfaces.
Types of VLANs
Level 1 VLAN
The level 1 VLAN defines a virtual network according to the port of the switch used, also known as “port switching.” It is the most common and implemented by most switches in the market.
Level 2 VLAN
This type of VLAN defines a virtual network according to the MAC addresses of the equipment. In contrast to the VLAN per port, it has the advantage that computers can change ports, but all MAC addresses must be assigned one by one.
Level 3 VLAN
When we talk about this type of VLAN it should be noted that there are different types of level 3 VLANs:
- VLAN-based network address connects subnets according to the IP address of the computers.
- Protocol-based VLAN allows creating a virtual network by type of protocol used. It is very beneficial to group all the computers that use the same protocol.
How does a VLAN work per port?
The IEEE 802.1Q protocol is responsible for the tagging (TAG) of the frames that gets immediately associated with the VLAN information. It consists of adding a tag or TAG to the header of the structure that indicates to which VLAN the frame belongs.
Based on the “tagged” VLANs, we can differentiate between:
- TAGGED– When the connected device can work directly with VLAN, it will send the information of the VLAN to which it belongs. Thanks to this feature, the same port can work with several VLANs simultaneously.
When we configure a port with all the VLANs configured in TAGGED, we call it Trunk and it is used to join the network device in cascade. This system allows the packets of a VLAN to pass from one switch to another until finding all the equipment of said VLAN. Now we need to give them access to services like the internet, the different servers, and more.
For this, we have two options:
- Use a switch or layer 3 or 4 switch, that is, with the ability to “route” the different VLANs to a port.
- Or use a firewall with VLAN support, that is, in the same physical interface, it allows working with several VLANs as if it had several physical interfaces, each of which will give access to a VLAN to the services.
Choosing one or the other depends on whether the firewall used supports VLANs, if we pass communications through the firewall, we will always have more control over them, as I will explain later.
Advantages of segmenting your network using VLANs
The main benefits of using VLANs are the following:
- Increase Security- By segmenting the network, groups that have sensitive data are separated from the rest of the net, reducing the possibility of breaches of confidential information.
- Improve performance- By reducing and controlling the transmission of traffic on the network by division into broadcast domains, performance will be enhanced.
- Reduction of costs- The cost savings result from the little need for expensive network upgrades and more efficient use of links and existing bandwidth.
- The higher efficiency of the IT staff- The VLAN allows to define a new network over the physical network and to manage the network logically.
In this way, we will achieve greater flexibility in the administration and the changes of the network, since the architecture can be changed using the parameters of the switches, being able to:
- Easily move workstations on the LAN.
- Easily add workstations to the LAN.
- Easily change the configuration of the LAN.
Advantages of having a firewall with VLAN support
- More significant cost savings- We will not have to invest in a switch with “routing capacity,” and it will be worth a layer 2, currently very economical.
- Greater security and control- We do not “route” one VLAN to another without any power, being able to create access rules between the VLANs and inspect all traffic.
- The higher performance of the network- We will have the possibility to prioritize by QoS (Quality of service) specific VLANs or protocols.
Voice over IP (VoIP) traffic since it requires:
- Guaranteed bandwidth to ensure voice quality
- Priority of transmission over network traffic types
- Ability to be routed in congested areas of the network
- Delay of less than 150 milliseconds (ms) through the network
Therefore, as you have seen, having a Firewall with VLAN support supposes a series of significant advantages when managing your information systems. Not only will you get performance improvements, but you’ll also simplify your administration tasks.