Scaling your network with VLANs

How can you keep your network manageable, increase performance and enhance security as it grows? One solution is to divide your big, flat LAN into Virtual LANs or VLANs.

By Debra Littlejohn Shinder

As your network grows, it becomes increasingly difficult to manage dozens, hundreds, or even thousands of computers. On a large, flat, switched network, performance suffers and security concerns increase.

One way you can structure your growing network is to divide it into segments called Virtual Local Area Networks, or VLANs. You can group the computers of users who work together (workgroups) into VLANs, whether or not they are located in close physical proximity. Often, an organization creates separate VLANs for different departments or divisions. The VLAN serves as a security boundary and improves performance by isolating broadcast and multicast traffic.

Advantages of VLANs

Normally, a local area network (LAN) acts as a broadcast domain. That is, all devices on the LAN will receive broadcast messages from all other devices on that LAN. The communications within the LAN go through devices such as hubs, switches and bridges. VLANs are usually separated by switches that divide the network into multiple broadcast domains, to reduce the amount of traffic going to all devices and thus increase performance.

You can put users who are "bandwidth hogs" (that is, their jobs require constant use of the network to interact with a particular server) on the same VLAN segment with the servers to which they need access. This will prevent other users, on separate VLANs, from having their network transactions with other servers impacted by the high-usage users. Their network performance won't suffer, and the performance of the high-usage users will also improve.

The VLAN structure also makes it easier for administrators to manage network resources. Users can be grouped logically with the resources (servers, printers, etc.) that they need. Moving users and computers from one VLAN to another is easy and can be accomplished through the software instead of having to physically unplug computers from a subnet and move them to another. And when a user's computer physically moves to a different location (for example, with a laptop computer), the VLAN management software can recognize the computer and automatically assign it to the VLAN to which it's supposed to belong.

Finally, using VLANs can increase security. When you use TCP/IP for network communications, as most organizations do today, VLANs can communicate with each other through a router (or "layer 4 switch," which is essentially a switch with routing capabilities), and users who deal with highly sensitive communications and servers that contain confidential data can be placed on a high security segment. Communications from others on the LAN who are not on the same VLAN will be subjected to the router's access controls and filtering. Without a router, devices on one VLAN are not able to "see" or access those on a different VLAN even if they are physically attached to the same switch.


If you are using a non-routable networking protocol stack on the LAN, VLANs communicate with each other through a bridge instead of a router. However, this negates the security advantage since bridges cannot perform higher layer filtering functions as a router can.

If you have users or servers that must maintain a particularly high security level, you can put them together on the same VLAN and prevent all communications from outside the VLAN.

VLANs are also useful for special purposes, such as Application Service Providers (ASPs), who can use them to keep the traffic of many different customers isolated from each other, while using the same hardware.

How to deploy a VLAN infrastructure

When you can assign computers to VLANs, you can group them by port, IP address or a particular value in a specified IP packet header field.

  • IP address-based VLANs are also called virtual subnets. Although VLANs are actually implemented at Layer 2 of the OSI model (the data link layer), IP address-based VLANs use Layer 3 (network layer) information. Communications between virtual subnet VLANs is routed. You can have more than one VLAN connected to the same port on a switch.
  • Port-based VLANs are also called segment-based VLANs or static VLANs. Only one VLAN is supported by each port on the switch, and VLAN membership is assigned to that port rather than to a computer's MAC address. Traffic on the local VLAN is switched and traffic that goes to other VLANs is routed.
  • Value-based VLANs define groupings by whichever field in the packet header you specify. For example, the field that contains the Media Access Control or "physical" address that is assigned to the computer's network interface card can be specified to group computers into VLANs based on their MAC addresses. MAC address-based VLANs are also called dynamic VLANs and are considered less secure than static (port-based) VLANs.

You can deploy VLANs using switches such as Cisco's Catalyst models that support Inter-Switch Link (ISL) and IEEE 802.1Q. The IEEE 802.1Q standards specify two ways to "tag" VLAN frames to define to which VLAN a frame belongs. These are:

  • Implicit: This refers to tagging frames as referenced above, based on packet header fields (MAC address, protocol, etc.) or receiving port.
  • Explicit: This refers to including an explicit VLAN tag for that purpose in the frame.

VLAN trunking

As your network grows more, you may want to deploy multiple VLANs on multiple switches. VLANs on different switches can communicate with each other using trunking technology based on the VLAN trunking protocol (VTP). This allows multiple switches to be members of a common VLAN management domain. All the switches within a management domain share information with each other. This makes it easy to centralize the management of all your VLANs on the network.

VLAN scalability

Using VLANs to divide your growing network can help with manageability, performance and security, but it's a complex topic and you'll need to understand how VLANs work and the different methods of deploying them before you take the plunge. Vendors of switches that support VLANs generally have a wealth of information on their Web sites regarding how to implement their specific solutions.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks

Free Newsletters, In your Inbox