Why VLAN management? Pro & Cons of VLAN
Sarah Kolberg | June 21, 2023

WLAN is now a term that everyone can recognize. VLAN is something we encounter less frequently in everyday life. It is an important tool for network segmentation, which provides a higher level of network security and performance. In the following article, you will learn what VLAN means, how it works and how your company can benefit from it. In particular, we will look at the VLAN Manager as an important functionality of macmon NAC.
What is VLAN?
VLAN stands for Virtual Local Area Network. With the help of virtual LANs, logical network segments can be created. This means that the network is subdivided independently of the physical network topology on site. The data traffic of the associated devices of a VLAN is isolated from other VLANs. Communication in the entire network can therefore be better controlled. The devices only have access to the network resources and applications that are required.
Setting up VLANs
VLANs can be used to segment the company network into separate units regardless of its physical structure. If you want to set up VLANs, this requires managed switches. Only these have the corresponding configuration options. There are two ways to configure a VLAN: statically and dynamically. A VLAN can be extended to one switch or to several. The devices are separated by a VLAN tag in the Ethernet telegram. The VLAN tag contains a VLAN ID and the priority of the telegram.
Static and dynamic VLAN
Static VLAN
The static VLAN works via port-based VLAN tagging. This means that the VLAN is permanently linked to a switch port. The VLAN is configured manually and a VLAN ID is assigned to each port. The switch port determines which VLAN the connected device belongs to. A port output can be assigned to several VLANs, a port input only to one VLAN.
The VLAN configuration cannot be changed with the static VLAN. This makes it less flexible, but at the same time simplifies the administrative effort.
Dynamic VLAN
With dynamic VLAN, the configuration takes place in the layer 2 function of the switch based on the MAC address or a higher protocol layer such as 802.1X. The assignment to the network segment is made via the endpoint and is managed with a database on a central server.
The advantage: The endpoint is only ever authorized to access the area it needs to work, even when working on the move or relocating the workplace, without having to change the configuration.
VLAN advantages
Network segmentation can be organized according to departments, for example. If a network segment is compromised, the entire network is not affected, and the potential damage can be limited. This can be an important tool not only in office environments to protect financial or personnel data, company secrets or business-critical processes. In an industrial environment, individual sections of production lines can be organized in VLANs. This ensures high availability and prevents production stoppages. Network segmentation also means that weak points and errors can be detected more quickly and rectified in less time.
The allocation of a separate broadcast domain per VLAN reduces data traffic and has a positive effect on network performance. As VLANs are virtual units, they can be operated independently of cable and location. Modifications can be made to dynamic VLANs quickly, easily, and cost-effectively.
VLAN disadvantages
It is important that VLAN management is adequately documented and that the corresponding modifications can be viewed. Otherwise, network errors can occur that restrict functionality.
VLAN management with macmon NAC
macmon NAC offers a VLAN Manager in addition to other functions. This feature can be used to set up static and dynamic VLANs. With the dynamic VLAN, the assignment to the segment is carried out simply via the GUI. A VLAN is assigned to each device. macmon NAC supports assignment via MAC address and 802.1X.
Static configuration by assigning VLAN ID and switch port is also possible. Switch ports on which no device is operated are assigned to a VLAN that does not offer any services.