How to set up a virtual LAN (VLAN)

Ethernet cables connected to the back of a server
(Image credit: Getty Images)

You may have seen the term 'VLAN' wherever there’s talk of networking. It stands for virtual local area network and is one of the most useful but underused features in a network admin’s arsenal. But what is a VLAN, and how do you go about setting one up?

A VLAN is one of the first examples of software defined networking (SDN), a burgeoning technology which allows physical switches to be replaced with software controlling the flow of data. VLAN technology is much simpler in scope than some other, more advanced examples of SDN infrastructure but the good news is, it’s much easier to set up with your existing equipment.

Put simply, a VLAN is a way to have an entire branch of your network completely separate from the rest without the need for a second internet connection or router. Most professional routers (and an increasing number of home/SOHO devices) are VLAN capable. If your office communications are delivered by voice over internet protocol (VoIP), it will almost certainly be routed over a VLAN in order to ringfence bandwidth, avoid security breaches and thus ensure uptime – as long as there’s still an internet connection – regardless of what happens on the rest of the network. An even simpler VLAN is the Demilitarised Zone (DMZ) feature offered by most routers, which bypasses all security protocols to a specific IP address or range whilst leaving it active across the rest of the network.

What are the benefits of using a VLAN?

In an office environment, the benefits can be huge. If you want to offer customers Wi-Fi, for example, you can add a separate access point (AP) to your network inside a VLAN, thus ensuring that public users can only connect to the web, with no way of getting to your sensitive company data.

One of the advantages of a VLAN is that, because it’s a software defined logic layer, it isn’t limited to one physical location. In a global company, a VLAN can be set according to the needs of individual job functions or departments. For example, a sales team may not have desks in the office, but instead log into the company resources via virtual private network (VPN). The VPN can be configured to divert traffic over a specific VLAN, thus limiting company access remotely in the same way as it does in the office.

Another good example of VLANs in action is prioritisation of network traffic. Returning to the example of a public Wi-Fi network, if your main corporate network is struggling to meet performance demands, you could, at the flick of a switch, reapportion part of the bandwidth devoted to customer-facing Wi-Fi in order to bolster the primary network, and return it when traffic returns to normal.

Setting up a VLAN

If this sounds like a useful ability to have in your toolbelt, the good news is that setting up a VLAN is very quick and easy, although the specific process will depend on your network infrastructure. On some devices, there may be one ethernet port designated for VLAN use, whilst others may allow multiple VLANs on multiple ports. Check the instructions on your router for more information on what yours can do. In our example, we’re going to assume that any output can be defined for your VLAN.

The first thing you’ll need to do is gather the physical equipment that you’ll be using to create your VLAN. We’re using Netgear Prosafe equipment, but the method should be similar with other brands too – if you get stuck, check the documentation. In our case, we’re going to assume that your router only supports a single WAN and LAN, so we will use a secondary network access point for providing customer Wi-Fi, which will sit alongside the APs serving our main network. You’ll need to nominate an ethernet port on your main switch which will be given over to the VLAN, and if you’re running multiple VLANs, each one will need a separate port.

On some devices, there may be one ethernet port designated for VLAN use, whilst others may allow multiple VLANs on multiple ports. Check the instructions on your router for more information on what yours can do. In our example, we’re going to focus on setting up a single VLAN, but if you want to set up a number of VLANs, or your router doesn’t support them natively, you may need to add a dedicated VMPS – a VLAN management policy server capable of more advanced rules and additional features than your router GUI. If so, you’ll need to discuss this with your network infrastructure provider.

It should be noted that Cisco has its own proprietary system for managing multiple VLANs built around the Cisco VLAN Transport Protocol. If you use Cisco equipment, check with your representative about how to configure VLAN traffic on your network.

For our example, we’re going to assume you’re setting up a single VLAN, so the next step is cabling your access point to your switch. If you’re retrofitting a VLAN, you may find you have to do an audit on your ethernet wiring. Although using a VLAN to ‘ring-fence’ sensitive endpoints or applications is a valuable security strategy, a rogue physical connection between your VLAN and the rest of your network will render this useless. It may also cause all kinds of network problems, as the hardware connection will be in conflict with the software routing.


The death of network hardware appliances

Why the time to break free is now


With the cabling taken care of, we can move on to the software side. Creating a VLAN will be done in the management console of your main network switch or router; you may need to check the advanced settings section to check that VLAN support is enabled first. Once you’ve enabled the feature, create a new VLAN and assign it an ID number.

Each VLAN you create will have its own ID between 2 and 4096, with any traffic not assigned to a specific VLAN lumped under ID 1. If you’re setting up a VLAN to accommodate a specific piece of equipment, check the documentation, just in case they have a specific one in mind. The most common defined ID for IPTV and VOIP use is 101, but check requirements for your equipment. Any traffic outside the VLAN environment will automatically be given the default VLAN ID of 1.

Along with setting a VLAN ID, you’ll also be able to name this VLAN too, in the same way as a Wi-Fi network’s SSID, which is a bit more ergonomic for both end users and admins.

Next, we need to decide the parameters for our VLAN. You should be able to define variables such as which folders and directories the VLAN has access to, what communication ports are open, how much bandwidth is given over to VLAN traffic, what transport protocols are allowed, and lots more besides. Think about the specific purpose you want your VLAN to serve, and be careful not to over-provision it as this will take additional bandwidth away from the main network.

Some switches will offer traffic prioritisation for VLANs, allowing you to dictate which sub-networks have first dibs on available bandwidth. You may, for example, want to give your VoIP network a higher priority than your public Wi-Fi – or you may wish to give your archiving processes lower priority during work hours, but highest priority overnight.

At this point, you should decide which users will be routed through your VLAN. In our case it’s simple – anyone who connects through our separate public Wi-Fi access point. But it could be that different departments or branches are routed through different VLANs. User endpoints don’t have to be physically present - if a user logs onto your domain, for example, over VPN from home, their traffic can be routed based on their credentials.

As long as you’ve provisioned your company topography correctly through something like Active Directory or single sign-on (SSO), you can do this for job functions, departments and locations, as well as individual user endpoints. For our public Wi-Fi example, we simply want all traffic that connects to our public access point to have internet access to surf the web, without access to the internal business network.

Turn on the public Wi-Fi access point and configure it appropriately. If all has gone well, you should find that connecting to it will give you access to the internet, but nothing more – indicating that your VLAN setup is correctly isolating the two networks from each other.

While this is a fairly basic example of a VLAN implementation, the same principles can be applied to network management tasks across a whole range of different use cases and footprints. VLANs are an essential networking tool.

Chris Merriman has been writing about technology since the 1990s for a variety of titles including Computer Shopper, MSN, TechRadar, Tom’s Guide and The Inquirer, where he broke a number of major tech news stories that were picked up globally.  He has appeared on BBC, Sky News and Al Jazeera and was the resident tech expert at TalkRadio for a number of years. In between times, he has also been a consultant for several major tech firms.

Chris is fascinated by automation and the internet of things, as well as the evolution of the ways we communicate in the digital era. He's also a frequent contributor to ITPro's software guides, including Windows operating systems. Other specialisms include storage, peripherals, and web apps, and any gadget he’s allowed to take apart and fiddle with, preferably after throwing away the box, manual and receipt.