Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



VLAN (Virtual LAN)

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

Most enterprises have moved toward the switched network paradigm, in which computers are connected to dedicated ports on Ethernet switches, Gigabit Ethernet switches, ATM switches, or other types of switches. Switching devices support network designs in which the entire network is one big flat network as opposed to many subnetworks interconnected by routers. In a flat network, all workstations are in the same broadcast domain. Any computer can directly communicate with any other computer. This has advantages and disadvantages that will be discussed here.

A flat network easily interconnects all systems into a single broadcast domain, but a single broadcast domain has drawbacks related to security, network traffic problems, and a loss of local management. Some administrators prefer traditional subnetwork designs, which can be introduced into flat switched network designs with VLANs. The IEEE 802.1Q VLAN standard was rolled out to provide important VLAN techniques required to build large switched networks. The IEEE standard is discussed later.

A basic VLAN is pictured in Figure V-1. All the computers are connected to the same network. Two logical subnets in the form of VLANs overlay the physical network. In older physical LAN models, all the computers in Sales were connected to the same physical network within the same physical area. In the VLAN model, a computer at any location on the physical network can participate in a VLANs. For example, users in different buildings on the same campus can be part of the same VLAN group, broadcasting messages to one another and sharing the same group servers, printers, and other resources.

Keep in mind that the underlying physical network for VLANs is a flat switched network. VLANs overlay this topology. Routers are still needed to forward packets between VLANs, as shown on the left in Figure V-2. They provide a way for each VLAN to maintain its autonomy and broadcast nature while forwarding packets between VLANs when necessary. Routing allows administrators to put security policies in place as well, such as packet-filtering techniques, as discussed under "Firewall." An optimally designed network will have VLANs configured to reduce as much inter-VLAN routing as possible.

While routing adds the advantages of subnetworking back into the flat switched network topology, routing packets is slower than switching them (unless layer 3 routing is used, which reduces the need for VLANs, as discussed later). Even though a network may be subdivided into VLANs, the underlying network is still capable of switching packets to any computer at high speed. So the "route first, then switch" (or "cut-through" routing) technique is applied to boost performance. A router is initially used to establish a route between two systems in different VLANs and to provide security aspects of verifying that the two systems can set up a connection. Once the route is established and security is checked, packets are switched using the layer 2 switching fabric. This basically avoids moving all but the first few packets through the slow router once it has done its job. In some environments, a route server calculates routes, but all packets are switched. See "IP over ATM."

Figure V-3 illustrates how VLANs are configured. The bottom of the illustration shows the structure of the physical LAN. Backbone switches and local area switches provide VLAN configuration functions.

The network administrator includes a computer (or user) in a VLAN based on a switch port address, a computer hardware address (the MAC, or Medium Access Control address of a network interface card), an IP address, or some other method. In Figure V-3, when computer B transmits, it sends a message that is broadcast to all the computers in the Marketing VLAN, which includes computers E, G, H, and J. If computer B needs to send a message to a user in the Research VLAN, the message must be routed. This is handled by a routing function in the backbone switch or by a separate router.

VLANs are essential in organizations in which users move from one group to another, or the structure of the organization is such that members of the same workgroup are located in different physical locations. VLANs let scattered group members share common resources, such as storage devices, and be part of the same broadcast domain. In other words, traffic generated by users in a group should stay confined to their group. If users are highly mobile and move from one office to another as part of their job, the network administrator can use VLAN techniques to keep the user within a broadcast group no matter where they plug into the network.

With the advent of routing switches, as described under "Multilayer Switching," VLAN usage has fallen off. Routing switches perform routing in hardware, which removes the performance problem of traditional software-based routers. These switches are said to route at wire speed. Thus, high-performance, inexpensive, well-understood routing via routing switches has supplanted VLANs. Still, many of these routing switches support VLAN technologies, so VLANs can be configured if necessary.

VLANs have always been difficult to configure, while routed subneting is well understood. In addition, the network design supported by VLANs is not as practical in enterprise networks where traffic heads straight for enterprise data centers and the Internet, rather than servers and other devices within "local" groups.

VLAN Configuration Methods

Switching architectures are ideal for the creation of VLANs. The first VLANs were configured manually. Then, as the technology became better understood and more popular, more advanced techniques were employed. The following sections describe the various techniques that can be used to build VLANs. Many vendors are implementing some or all of these techniques. For example, the more advanced methods rely on IP protocols, but networks that use both IP and nonroutable protocols such, as NetBIOS, may need to use the MAC-based method described next in addition to the IP methods.

Port Configuration Methods

The port configuration method is really a way to configure separate LANs within the same box. The resulting LANs are technically not VLANs because they are configured as distinct wiring configurations. The network administrator ties together specific ports on hub or switching devices to create individual LANs. For example, ports 2, 4, 5, and 8 are grouped as LAN #1, and ports 1, 3, 6, 7, 9, and 10 are grouped into LAN #2. Two backplane designs are used in hub or switch devices to allow LAN configuration: multibus backplanes or TDM (time division multiplexing) backplanes. With the multibus design, each bus represents a LAN and ports are linked to a specific bus. In the TDM design, specific time slots on a single bus are owned by a specific LAN. Because LANs are configured within the hub or switch itself, it is not possible with some hubs or switches to bridge a LAN configured in one device with a LAN configured in another device.


The MAC address is the hardwired address built into network interface cards. The network administrator essentially creates a table that defines which MAC addresses belong with what VLAN. Compared to port configuration methods, this method provides true VLAN capabilities because membership in a VLAN is not directly tied to a specific hardware port. Configuration is done in software and a computer can usually belong to two or more VLANs. In addition, if a computer is moved to another location, it still belongs to the same VLAN because its MAC address moves with it.

Layer 3 VLANs

This type of VLAN uses layer 3 information to build VLANs based on internetwork protocol addresses. For example, in Figure V-3, all the computers in the Marketing VLAN might have IP address 100.200.1.x (where x is a specific number for each workstation), while computers in the Research VLAN have the IP address 100.200.2.x. A layer 3 switch is capable of looking at the network address in a frame and forwarding the frame based on information in a table the matches the network address with membership in a particular VLAN. Like the MAC-based VLANs, moves are easy because the port of the workstation does not determine VLAN membership. However, looking at the layer 3 address can cause performance problems. The layer 3 approach can be extended to include more routing functionality right in the switch, and that is what many vendors have done with their high-end switches. You can refer to "Multilayer Switching" to learn about the architectural details of these switches.

IP Multicast VLANs

In this approach, a VLAN is defined by membership in an IP multicast group. IP multicasting is a way for one workstation to transmit to some but not all workstations on a network. The workstations that receive the transmissions are known as the multicast group. Multicasting is basically one-to-many communication supported by Internet standards. Multicasting is set up by using IP class D addresses. Routers must be multicast enabled to use this feature. Multicasting is a two-way process. Routers set up multicasting among themselves, but a router only does multicasting if some host on its attached network has requested to be a member of a multicast group. Routers without any need to be part of a particular multicast do not get involved, in order to avoid unnecessary traffic. Multicasting is dynamic in that workstations can join and drop out of a multicast group at any time. Using this feature to create VLANs is useful and flexible. Multicasting also allows the VLAN to span WAN-based routers.

Rules-Based VLANs

Some vendors have implemented "rules-based" VLAN configuration techniques, which allows administrators to create VLANs based on information contained in packets that switches look at and evaluate. This method involves creating rules in software that are followed to determine VLAN membership. While this technique adds a lot of flexibility, setup and maintenance can be complex. For example, a VLAN might be described with these rules:

All stations with subnet address 200.100.10.x       excluding these IP addresses:,       excluding these MAC addresses: 06-1A-0A-05-3C-02-04

IEEE 802.1Q Frame Tag

The IEEE 802.1Q frame tag defines a method for inserting a tag into an IEEE MAC-layer frame that defines membership in a virtual LAN. During the standardization process, engineers sneaked in an extra few bits to define class of service. During development, this was known as Project 802.1p, but officially, the scheme is called IEEE 802.1D-1998. Prioritization is discussed under "QoS (Quality of Service)" and "Prioritization of Network Traffic."

802.1Q is designed to simplify VLAN configuration and management. It specifies a way to define and set up VLANs in frame-based networks such as Ethernet and token ring. IEEE 802.1Q promotes interoperability among vendor VLAN equipment. It is a tagging scheme in which a VLAN ID is inserted into the layer 2 frame header. The VLAN ID associates a frame with a specific VLAN and provides the information that switches need to create VLANs across the network.

Three bits of the 802.1Q tag define priority, while 12 bits define the VLAN ID. The standard defines the forwarding of frames based on tag information, explicit sharing of VLAN information and exchange of topology information, and VLAN management and configuration.

A VLAN protocol called GARP (Generic Attribute Registration Protocol) propagates topology information to network switches and end stations via tags. Also, a registration protocol called GVRP (GARP VLAN Registration Protocol) controls various aspects of the VLAN join/drop process. Network management systems and policy servers also use GVRP to provide administrative control.

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.