VLAN

In almost every enterprise network, devices with very different protection requirements operate on the same physical infrastructure: workstations, phones, printers, cameras, machine controllers. Virtual LANs, VLANs for short, bring order to this coexistence. They divide a physical network into logically separated segments, without requiring separate switches or dedicated cabling. VLANs are therefore a basic tool of every network design and are in use in practically every environment. At the same time, they are regularly overestimated when it comes to security. This article explains both: what VLANs achieve and at which point more modern concepts have to take over.

What is a VLAN?

A VLAN (Virtual Local Area Network) is a logical subnetwork at Layer 2, the data link layer of the network model. Devices in the same VLAN communicate with one another as if they were connected to their own exclusive switch. Devices in different VLANs, by contrast, can only reach each other via a routing instance, typically a Layer 3 switch or a firewall. This creates structure: each VLAN forms its own broadcast domain and usually receives its own IP subnet. The relevant standard is IEEE 802.1Q. It defines how Ethernet frames are given a VLAN identifier so that several logical networks can share the same physical line. The identifier is twelve bits long, which allows 4094 usable VLANs to be distinguished. The method was introduced to keep growing networks manageable, and today it is part of the basic equipment of every switch infrastructure.

How it works

  • Tagging according to IEEE 802.1Q: The switch adds a tag with the VLAN ID to every Ethernet frame. Based on this identifier, all the switches involved keep the logical networks apart.
  • Access ports for end devices: An access port belongs to exactly one VLAN. The connected end device is unaware of the tagging, the switch handles the assignment.
  • Trunk ports between switches: Several VLANs run over a trunk at the same time, and each frame carries its tag there. This lets a VLAN extend across any number of switches, floors, and buildings.
  • Separate broadcast domains: Broadcasts stay within their own VLAN. This relieves the overall network and prevents disruptions in one segment from affecting all the others.
  • Routing between VLANs: Transitions between the segments run via Layer 3. This is where firewall rules take effect, controlling the traffic between the zones.

Why VLANs matter

  • They create comprehensible structure, because device classes and departments can be assigned to cleanly separated segments.
  • They limit broadcast traffic and thereby improve the stability of larger networks.
  • They form the basis for prioritization, for example so that voice traffic in the telephony VLAN is treated preferentially.
  • They separate non-critical from sensitive areas, for example guest access from the internal company network.
  • They are included in practically every switch and incur no additional license costs.
  • They make changes in operations easier, because the assignment of a port is done through configuration instead of re-cabling.

Typical scenarios

  • The guest Wi-Fi ends up in its own VLAN and reaches only the internet, never internal systems.
  • IP phones are given a voice VLAN with prioritization so that calls remain stable even under high network load.
  • Production facilities and building technology are separated from the office network so that maintenance access runs in a controlled manner over defined transitions.
  • Cameras and other IoT devices that rarely receive security updates go into a sealed-off segment with tight rules.
  • In buildings with multiple tenants, the users share the infrastructure but remain logically separated from one another.
  • When setting up new departments or during conversions, additional segments are created through configuration, without new hardware having to be procured.

VLAN vs. microsegmentation

A VLAN structures the network, but it does not secure individual workloads. Within a VLAN, all devices communicate with one another unhindered. If an attacker compromises a system, they can move freely within the same segment, and the VLAN boundary registers nothing of it. Between VLANs, too, the rules remain coarse, because firewalls there consider entire subnets instead of individual applications. Microsegmentation therefore starts one level deeper: policies apply per workload or application and follow the system regardless of which segment it is in. Lateral movement is thereby prevented even within a segment, the central pattern of modern attacks. VLANs nevertheless remain useful, as a basic structure on which finer controls build. Our service page Zero Trust Microsegmentation describes what this approach looks like in practice.

VLANs at KAEMI

KAEMI plans and operates enterprise networks in which segmentation is part of the design from the start. With SD-LAN , we lift traditional VLAN concepts onto a software-controlled foundation: segments and port assignments are defined centrally and rolled out automatically to all switches. This reduces manual work on individual devices and ensures consistent configurations at all sites, from the campus to the small branch office. Where the protection requirement goes beyond the segment structure, we combine the LAN design with microsegmentation at the workload level. This creates a network that remains manageable in everyday use and yet leaves attackers little room. In addition, we take over the operation and monitoring of the environment so that changes remain documented and the segmentation permanently matches the reality in the network.

Frequently asked questions about VLAN

How many VLANs are possible?

The IEEE 802.1Q standard reserves twelve bits in the Ethernet frame for the VLAN ID. This makes 4094 usable identifiers available, with two values reserved. For most enterprise networks, this is more than sufficient. In very large environments such as data centers, additional methods such as VXLAN are used, which considerably expand the address space.

Is a VLAN a security boundary?

Only to a limited extent. VLANs separate traffic at the network level and prevent direct communication between segments, provided no routing is allowed in between. Within a VLAN, however, there is no control, and misconfigurations can undermine boundaries. For robust security, additional controls are needed, such as firewalls between the zones and microsegmentation at the workload level.

What distinguishes access ports from trunk ports?

An access port belongs to exactly one VLAN and connects end devices such as computers or printers, which are unaware of the tagging. A trunk port transports several VLANs at the same time, and each frame carries its 802.1Q tag for this. Trunks connect switches to one another or to routers and firewalls so that VLANs extend across the entire infrastructure.

What is the difference between a VLAN and a subnet?

A VLAN separates networks at Layer 2, a subnet structures the IP address space at Layer 3. In practice, the two belong together: each VLAN usually receives its own subnet so that the transition between segments runs via a routing instance and can be controlled there. The VLAN is the link level, the subnet is the address level of the same zone.

When is a VLAN no longer sufficient?

As soon as it comes to protecting individual applications and servers. VLANs form coarse zones within which attackers can move freely after a compromise. Microsegmentation enforces policies per workload and prevents lateral movement even within the same segment. The combination makes sense: VLANs for the basic structure, microsegmentation for critical systems.

Open questions about this in your environment? KAEMI advises you in line with your requirements and can also take over operations.