A VLAN (virtual LAN) in a switched
network is a logical collection of devices grouped together to form a
virtual network within a larger network. VLANs allow an administrator to
create networks based on parameters beyond the network address,
hence the name “virtual.” The virtual aspect of VLANs refers to the
fact that devices in a VLAN behave as though they are on the same wire,
even though they may be physically located on different segments of the
LAN. In fact, a VLAN can even extend across the WAN.
The reason to create a VLAN is to
segment a large subnet, which simplifies user mobility and provides
broadcast controls. Switches are configured with policies (or rules) that
limit which device can access which VLAN. These rules are set on a switch
port or range of ports. The most secure rules combine two or more
characteristics of the connecting device, such as some combination of
port, MAC address, IP address, and/or routing protocol.
These rules can be statically
configured or dynamically learned. If a rule is violated, that device is
not allowed to access the network and alarms and/or logs are generated.
This provides an extra level of security for non-mobile devices such as
printers and servers, especially when they are deployed in a semi-public
space.
VLAN
Assignment Methods
Policy-based VLANs allow various methods for users to be assigned
to VLANs independent of their physical attachment to the network, which is
important for maintaining user mobility. VLANs can be formed based
on a variety of characteristics including:
- Switch port
- MAC address
- IP address
- Protocol type
- Multicast-aware
- DHCP aware
- 802.1Q tags
- User identity (through authentication)
These characteristics can be deployed as standalone
rules or combined.
