What is VLAN? Virtual Local Area Network

23.03.2025
0
1.271
What is VLAN? Virtual Local Area Network

What is VLAN? We will talk about Virtual Local Area Networks, which stands for“Virtual Local Area Network” and pronounced as“VLAN” or“Virtual LAN“, only theoretically without going into the configuration side. At the configuration stage, you can take a look at the articles on VLAN settings that we have previously written for Extreme network, HP Procurve and Cisco Switches.

Other Recent Articles Related to VLAN

This article only contains theoretical information about what VLAN is. Terms and parameters will be flying in the air.

Although you physically have a single network in a network consisting of Managed Network Switches, Modem, Firewall, Server and Router devices, you can create many virtual networks up to the maximum number (8192+) supported by your devices with VLAN configuration. Since each of these networks will be virtual, they will need to be supported with a set of rules and routing.

First of all, let’s talk about a few benefits of configuring VLANs in your network.

Benefits of VLAN

  • By minimizing the clutter caused by broadcast messages in the Local Network, traffic density can be reduced.
  • A more manageable network can be achieved by assigning at least one VLAN to each unit on the local network.
  • To make the network secure and manageable by routing all communication between VLAN blocks with ip-routing .
  • To provide bulk transmission of many VLAN-networks with Trunk method over fiberoptic or UTP Uplink cables.
  • Firewall and Router devices can run more complex but non-confusing configurations.
  • In the Ip/Gateway definition, a maximum of 254 user Ip addresses can be opened without VLAN, while in a network equipped with VLAN configuration,“max Ip number =VLAN number x 254“. The fact that 254 IPs can be given in an IP block does not necessarily mean that there are 254 of them. Even 254 ethernet interface broadcast and multicast messages will be enough to generate traffic. Not to mention the data packets.

These are the first pluses that come to mind about what is VLAN(Virtual Local Area Network). While taking precautions with Firewall against possible attacks and attacks from outside, the primary measure that can be taken for insider threats will be VLAN configuration and authorization.

Default VLAN or VLAN-1 (Non-VLAN Network)

In other words, VLAN configuration is a must in a network in order not to confuse pears with grapes. Imagine that the Wifi IP addresses you have defined for your guests to access the internet, your server IP addresses and switch management IP addresses are in the same IP block. Or don’t, I can’t even imagine it. This“insecure network” I am talking about will be as you see in the topology below.

default-vlan-topology
What is Vlan? – Vlan undefined network topology

Resimde de görüleceği üzere bütün pc, tablet ve sunucular aynı networkteler. Bilgisayar ve sunucular networke ethernet arabirimi ile bağlanırlar. Bir ethernet arabirimi saniyede yüzlerce binlerce broadcast, unicast ve multicast paketi gönderir.

If you are curious about these packages, you can install a program called“Wire-Shark” on your computer and see these packages in detail. In addition to these, network devices also send data packets in some special protocols(HTTP, HTTPS, FTP, TFTP, SMTP, IGMP, SNMP, BGP, OSPF etc.) to communicate among themselves. The density of these data packets will not be very important for the 3-5 computers shown in the picture here.

But try to imagine what kind of chaos these packets will cause in the network when the number of PCs and servers in the network increases. Think to what extent you can manage this chaos.

It will be the nightmare of Network Admins to see how packets coming out of Ethernet interfaces go to all other Ethernet interfaces one by one and ask“are you my gateway?” while searching for the gateway in an idle way and what kind of chaos it will cause.

Bizi Bekleyen Büyük Tehlike

I say this with regret because in the vast majority of small and medium-sized companies and institutions, the system works in this way, that is, with the“Internet cafe” (plug-play-forget) logic. As a result, there are frequent traffic-related crashes, decreases in data transfer speed, and most importantly, any user can access the data packets of the servers as they wish. In the picture, the reliability of a network without VLANs is more or less obvious.

Network Hacking (Ethical White Hacker)

With Cain type software, the communication of all Ethernet interfaces in the same network can be controlled and data belonging to servers or personal computers such as correspondence, e-mail, banking transactions can be easily intercepted by others. The guys who wrote Cain set out to create a network with an alternative standard to 802.1 and took advantage of some of 802’s vulnerabilities.

WordPress Hack Solution (Cloaking)

Cain can easily exploit vulnerabilities in VLAN-supported networks, but he cannot access the data of servers and network switches because they are in different VLAN blocks. He can only poison users in his own VLAN. In advanced smart switches, this vulnerability can be easily closed with security measures.

How Does Cain Work?

The Cain software gets between the user and the gateway and poisons the“Ip-Route Table” to identify itself as the gateway to the Mac Address of the user’s Ethernet interface. In this way, all data belonging to the user passes through the ethernet interface of the computer running Cain.

In today’s managed switches, this gap can be easily closed with the“DHCP-Snooping, DHCP Spoofing” configuration. We will give more information about this configuration in our articles in the future.

Warning:
Cain spyware is mentioned for informational purposes only. Our website is not responsible for any illegal use of this program.

Network Powered by VLAN

Now let’s come to the VLAN supported network topology that should be in your company or organization . I will present the picture of the VLAN Supported Network below. ( Click on the picture or here to see it in a larger size).

basic-vlan-topology
What is Vlan? — Vlan Supported Network

Although Extreme switches are used in this topology, since we will not talk about the configuration here, I thought it would be useful for you to see and grasp the structure.

In this picture of the LAN (Local Area Network) structure of a medium-sized company, company managers, accounting, You can see Purchasing, Servers, Engineering Office, Guest users and Management networks. Separate VLAN definitions have been made for each of them. It is the topology that best describes “What is a VLAN”.

Communication Between Vlans – IP Routing

The fact that each of the units is in different VLAN blocks does not mean that there will be no communication between them. Communication between VLAN networks is provided by Routing Gateway Ip Addresses.

Thanks to the IP-Routing configuration at Layer-2 layer, IP blocks will be able to communicate among themselves. Since messages such as broadcast, multicast or Hello packet are not included in this communication, CPU and memory will be saved.

As a result, we will have a much more secure Local Network that is more manageable, uses system resources less and more stable than the other one. In this network, the Purchasing unit will not communicate directly with the Accounting unit, but only with the allowed protocols through the Router or Firewall.

In the topology above, our civil engineer in the Engineering office, which is in the same VLAN, will communicate with the Printer over VLAN-40 in the same edge switch to print his project. If our engineer wants to read his e-mails, he will need to connect to the Exchange Server.

In other words, communication between VLAN-40 and VLAN-50 blocks will be provided via Router. If this path is not defined on the Firewall & Router, our engineer will not be able to access the Exchange Server, that is, he will not be able to read his e-mails from this computer.

Guest VLAN

Let’s say a guest of the company CEO arrives and will use the company’s Wi-Fi internet with his smartphone. In this case, VLAN-200 will be authorized in the network. Our guest will only be able to go to the internet because the network admin has IP-Routed VLAN-200, which is the guest network, to go to the internet only through the Firewall.

Apart from that , it will never be able to access servers, printers or other devices in the Local Network. Here, security will be brought to the maximum level by making an authorization with the perfect harmony of VLAN Configuration + IP Routing + Firewall.

Static and Dynamic Virtual Network

If we talk about Static and Dynamic VLAN configuration;

  • In static VLAN configuration, interfaces belonging to Uplink ports are tagged to the desired VLAN IDs(Tagged). On the other hand, the interfaces of other user ports are untagged for the VLAN they will be a member of(Untagged). Therefore, if the system administrator has untagged the port for which VLAN, the user using that port will only be able to exit from that ip block.
  • In Dynamic VLAN configuration, Uplink ports on the Switch are tagged as in Static configuration, but all user ports are members of the VLAN belonging to the Guest Network. With the combination of Switch-Firewall or Switch-DHCP Server (Active Directory, Radius etc.), the user is automatically registered to the VLAN that the user needs to be a member of thanks to the user Mac address. Authorization is performed between the Switch and DHCP Server, and the VLAN ID of the user computer is authorized in is sent to the Switch, and the Switch makes this port a member of the VLAN that DHCP wants.

This process can be done as defined by the computer or as defined by the user. This is also possible thanks to the Switch-DHCP Server-Active Directory Server trilogy. If there are computers open to common use in your company and you want to authorize them according to users, you can solve this in this way. Thus, if the Accountant logs in to computer A, it will be automatically authorized in the VLAN-10 network, if the Engineer logs in, it will be authorized in the VLAN-40 network or if our guest logs in, it will be authorized in the VLAN-200 network.

What is Vlan – Management VLAN

Finally, all switches, modems, firewalls, routing and monitoring servers in our network must be members of VLAN-100, which is the “Network Management VLAN”. They will use this VLAN-100 network when communicating with each other. When defining a VLAN for Management, it should be written to the switch that this VLAN is Management VLAN. The switch provides extra security measures.

There are many things to say about What is VLAN? but I think I have conveyed the most important ones. You know what to do for your questions.

MAKE A COMMENT
COMMENTS - 0 COMMENTS

No comments yet.

Bu web sitesi, bilgisayarınıza bilgi depolamak amacıyla bazı tanımlama bilgilerini kullanabilir.
Bu bilgilerin bir kısmı sitenin çalışmasında esas rolü üstlenirken bir kısmı ise kullanıcı deneyimlerinin iyileştirilmesine ve geliştirilmesine yardımcı olur.
Sitemize ilk girişinizde vermiş olduğunuz çerez onayı ile bu tanımlama bilgilerinin yerleştirilmesine izin vermiş olursunuz.
Çerez bilgilerinizi güncellemek için ekranın sol alt köşesinde bulunan mavi kurabiye logosuna tıklamanız yeterli. Kişisel Verilerin Korunması,
Gizlilik Politikası ve Çerez (Cookie) Kullanımı İlkeleri hakkında detaylı bilgi için KVKK&GDPR sayfamızı inceleyiniz.
| omersahin.com.tr |
Copyright | 2007-2025