VLANs

A Virtual Local Area Network (VLAN) is a partitioned and isolated broadcast domain at the data link layer or OSI layer 2. Or in other words, a smaller virtual network within a larger physical one.

What are the advantages of VLANs? Why are they used?

There are 5 core reasons why VLANs are used: security, cost, performance, manageability and availability.

Security

All the nodes within a network segment can receive packets meant for other nodes. Normally, when a network interface card (NIC) receives packets not intended for its MAC address, those packets are just dropped/ignored. However, a NIC can be switched a promiscuous mode in which ALL packets will be processed including those meant for other nodes. This can be a blatant and unassumable security risk, especially in shared environments (e.g. datacenter hosting servers from different companies).

VLANs can reduce that risk by partitioning and isolating the LAN in smaller segments, so that an attacker has less hosts to sniff.

Cost

Let's imagine a company with an audit department whose personnel is spread over various floors in a building. Those auditors must use a segregated network (company policy) but there are just a few of them in each floor so several switches would be required, one for each floor. The cost might be steep and that's where VLANs come in to help again.

With a VLAN created just for the auditing department, no new switches would be necessary as the existing ones could be used. There would be multiple virtual networks (VLANs) within a larger physical one.

Performance

Broadcast traffic in today Ethernet networks comprises mostly ARP (Address Resolution Protocol), DHCP (Dynamic Host Configuration Protocol) and RIP (Routing Information Protocol) among others. In a busy network there might be hundreds of broadcasts per second and each of those broadcasts needs to be processed by the each host through CPU interrupts. Even though today's CPUs are so fast that the broadcast processing cost should not be that noticeable, there is still the issue of network collisions those noisy broadcasts might cause.

VLANs can increase network performance by reducing broadcast traffic and leveraging L3 switch capabilities to reduce the number of hops and latency. For frames to get from one VLAN to another, a layer 3 device needs to route them. That layer 3 device might be a router or a switch. If it is a router, latency is added by increasing the number of hops. If it is an L3 switch, the traffic might flow from one VLAN to another without leaving the switch thereby reducing latency and increasing the speed.

Manageability

The manageability advantage stems mostly from the fact that physical network gear can be virtualised and/or reduced. Less networking equipment = less management burden.

Availability

Segmenting a network into smaller VLANs reduces the failure domain to an extent. Given enough time, NICs tend to fail. Sometimes a NIC failure results in a packet storm that hinders the availability of the LAN. By chopping the LAN into smaller VLAN segments, the damage a failure can cause s greatly reduced.

Configuring VLANs is pretty straight forward. As with bonding, teaming & bridging, we will show how to do it with ifcfg files and the command line. But VLANs can also be configured with nmtui, nmcli and the Network Manager GUI.

First we choose what unused NIC will host the VLAN and configure it as follows:

# cat /etc/sysconfig/network-scripts/ifcfg-ens1
NAME=ens1
DEVICE=ens1
BOOTPROTO=none
ONBOOT=yes

Then we create the ifcfg for the VLAN by using the same file name as its host NIC plus the VLAN ID separated with a dot. For instance, if the auditors VLAN ID is number 25...

# cat /etc/sysconfig/network-scripts/ifcfg-ens1.25
NAME=ens1.25
DEVICE=ens1.25
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.105.1
PREFIX=24
NETWORK=192.168.105.0
VLAN=yes

We see this VLAN ifcfg file is like one for a static IP save for the last 2 parameters which are self-explanatory.

To bring the VLAN up and running, we will first have to bring up the underlying interface (it won't work otherwise!):

# ifup ens1
# ifup ens1.25

We can create as many VLANs are our setup supports (number of supported VLANs depends on a number of factors), by creating more VLAN ifcfg files with the corresponding ".VLAN-ID" suffix. And when we are done we can start all NICs, bonds, teams, bridges and VLANs with ...

# systemctl restart network

<< bridging                    SSH >>