What Are The Differences Between Virtual Local Network And Subnet In Computer Networks?
A Few Decades Ago, Computer Networks Had A Simple Architecture. So, Most Companies Needed A Network With A Single Broadcast Domain (VLAN) And A Large Layer 3 Network.
As time passed and the networks became bigger, this architecture was no longer usable and faced many problems due to its unicast nature.
For this reason, practical technologies such as virtual local area networks (VLANs) and subnets (Subnets) emerged, which are the most critical components of TCP/IP networks.
These technologies are widely used to segment large networks, making them more manageable and efficient. However, some web and IT professionals still do not know the difference between these concepts.
Overview of VLAN and Subnet
Virtual LANs operate at layer 2 of the OSI model and use different broadcast domains to separate local network traffic. Hosts on the same VLAN can communicate without problems, but hosts on different VLANs cannot communicate with each other by default unless Layer 3 routing is defined between them.
Subnetworks in layer 3 of the OSI model are used to build small layer three networks based on the IP address of a more extensive network. You can see the diagram of a simple network in Figure 1. Let’s explore the differences between VLANs and Subnets in more detail.
figure 1
In Figure 1, you see a network with two virtual LANs (10 and 20) and two subnets with addresses (192.168.10.0/24 and 192.168.20.0/24). Although hosts belonging to two virtual LANs are connected to the same switch, they cannot communicate with each other through the switch between them.
If hosts in VLAN 10 want to communicate with hosts in VLAN 20, traffic from hosts in VLAN 10 must be forwarded to the router interface with IP address 192.168.10.1 to forward packets to its second interface (192.168.20.1). Slow to finally reach VLAN 20.
What is a VLAN?
Virtual Local Area Networks ( VLANs ) isolate Ethernet traffic flowing through a local area network at layer 2, or the data link layer, of the OSI model. Without VLAN, every packet transmitted through the web can be received by all devices on the network, and the devices can communicate with each other.
From a security point of view, such a situation is not ideal because, in a corporate environment, users based in the filing unit are not supposed to have access to the information of the financial department, or in an academic setting, students are not supposed to have access to the knowledge of the IT unit.
To solve this problem, we should use the technique of traffic isolation by defining and implementing VLANUsed on switch interfaces to which endpoint devices are attached. The controller tags the packets with a VLAN ID number when traffic is sent from these endpoint devices to the switch. It is called 802.1Q VLAN tagging.
When a packet arrives at a switch port (access port on Cisco devices), the switch assigns an 802.1Q tag (VLAN ID) to the Ethernet frame. Now the switch forwards this frame only to other ports that belong to the same VLAN.
If the label matches the Vlan assigned to that interface, the packet is allowed, and if it does not match, the packet is dropped. This process is just like the lanes of a highway.
These separate lines represent different VLANs.
Another practical example in this field is a building with four doors in red, green, yellow, and blue colors that lead to 4 different rooms. From a group of 40 people, ten people are allowed to pass through the red door, ten people are allowed to pass through the green door, ten people are permitted to pass through the yellow door, and ten people are given permission to pass through the blue door.
If a person with a red permit tries to enter through the blue door, the card reader will issue an error message, so they will not be able to open the door and enter the room like people with a permit to open the blue door. In this case, he can only enter the room where the color is red.
Now we come to the critical question: what happens if a VLAN -tagged interface receives a packet that does not have a VLAN tag? By default, this packet is removed, so this is where we use a technique called Native VLAN. The native VLAN is responsible for handling all untagged packets and is identified as VLAN 1 by default on Cisco switches. What the VLAN tagging process does is precisely based on this rule.
Professional experts often change this number to prevent possible problems related to the default number of local virtual networks. On a trunk interface, all VLAN-tagged traffic is allowed only for a specific link or VLANs.
Also, untagged network traffic will receive a Native VLAN tag and then be routed through the trunk. Accordingly, both sides of the native VLAN communication mechanism must have the same compartment because if they use different native VLANs, the switch will drop untagged traffic due to a mismatch.
What is Subnet?
Many IP addresses are lost in such a situation, even in large networks developed A technology called a subnet To solve this problem. Subnet refers to a small layer 3 IP network that is created after dividing an extensive network into smaller segments within the IP address range of the more extensive network. A class, A IP address with a subnet mask of 255.0.0.0, allows defining 127 networks with 16,777,216 IP host addresses per network.
A class A IP address can be divided into smaller segments. These smaller segments are networks defined and usable in the same range as the primary IP address. The IP address 10.0.0.1 with a cover of 255.255.255.0 or /24 allows defining about 2 million subnets, but only 254 available IP addresses will be available per subnet. The subnet mask is changed from a /8 or 255.0.0.0 to another show with fewer IP addresses.
By dividing an extensive IP address range into smaller subnets, management can be done more precisely and use the IP address space more optimally.
In switch-based networks, each subnet is associated with its VLAN. Just as you saw in network diagram one, for this reason, there is a direct mapping between VLAN and Subnet. In large organizations, network administrators divide their LANs into several separate virtual LANs, each with its own Layer 3 subnet.
If we want to provide an analogy in this field, we should say that the layer three subnets are similar to the room of an organization. People in the same room can communicate freely. However, if you want to go to another room (subnet), you must go through a door (router gateway) that leads you to other sections.
Comparison of Vlan and Subnet
Subnets are used to separate network traffic more precisely, but the main difference between VLANs and Subnet is that VLANs use a Layer 2 mechanism to separate Ethernet traffic, which is done in the switching infrastructure. In contrast, Subnets use a Layer 3 mechanism to separate traffic. They use that the above process is done in the routing infrastructure.
In the real world, VLANs and Subnets are used to improve security in infrastructure to provide a unified defense against security threats, as both methods can segregate internal network traffic. Although VLANs can separate traffic, communication exists only through layer three routing.
However, there are situations where you may want different VLANs to communicate with each other. For example, you have a file server connected to a switch configured to be on Vlan 10, and a PC connected to the same controller but configured on Vlan 20 should be able to communicate with the file server.
In this case, the above two components in layer two cannot communicate with each other because they are located in different VLANs.
For a networked device such as a desktop computer to communicate with a server, a Layer 3 router must perform the Inter-VLAN routing process. It is Just as shown in Figure 1. Another way of Inter-VLAN routing is to use SVI Switch Virtual Interface in layer three switches.
In this case, we must create the virtual switch interface on a Layer 3 switch for each VLAN. An SVI is a virtual network interface that acts as the default gateway for all hosts on a virtual LAN.
In the example of the previous paragraph, when the above interface is defined, the file server located in Vlan 10 can communicate with the computer located in Vlan 20 and vice versa. The above interface in Cisco switches must be configured as follows:
Enable
Configure terminal
Vlan 10
Name Servers
Vlan 20
Name User_PC
interface Vlan10
Description Servers
IP address 10.0.1.1 255.255.255.0
interface Vlan20
Description User PC’s
IP address 10.0.2.2 255.255.255.0
After creating and configuring the virtual switch interface, all VLAN 10 and VLAN 20 devices can communicate with each other. Suppose you intend for only specific devices on Vlan 10 to communicate with devices on Vlan 20. In that case, you must define an Access Control List (ACL) for the switch’s virtual interface to determine which devices are allowed to communicate.
Can two virtual LANs have the same subnet?
Some experts who are new to the world of networking ask if we can have two different VLANs (such as VLAN 10 and VLAN 20) on the same switch and assign each VLAN a subnet such as 192.168.1.0/24. In theory, this is possible, but in practice, hosts connected to two VLANs will not be able to communicate, even if they are within the same subnet range.
Why? Because two local virtual networks create two separate broadcast domains, Layer 2 traffic in each virtual LAN will be on the same network and cannot reach another LAN. Hence, hosts cannot communicate between two broadcast domains.
A basic implementation is to define different Layer 3 subnets belonging to separate Layer 2 VLANs and then define a Layer 3 routing engine to communicate between the two VLANs/Subnets.
Virtual LAN and subnet security
Let’s briefly review VPNs and subnets from a security perspective. Both concepts isolate and control traffic between hosts and local networks and therefore play an essential role in establishing and providing network security.
The isolation mechanism provided by the virtual local area network is more efficient and powerful in terms of security than the isolation provided by the subnet. If you separate the hosts into different VLANs, you will ensure that the hosts in these VLANs cannot communicate with each other.
For example, suppose the finance department computers are on VLAN 10, and the engineering department computers are on VLAN 20. In this scenario, the computers are in two wholly isolated segments, and you can be sure that they will not be able to communicate unless the traffic between them first passes through a layer three device.
If you want a secure connection, use the subnetting technique with layer 3 or 4 firewalls to control routing between layer three subnets. Almost all big companies implement their networks based on such a mechanism.
In this case, the firewall can control the traffic of different subnets so that only necessary packets are exchanged between the subnets, and any packages that violate the firewall’s security policies are dropped.
It can do in layer three or layer 4.
Suppose traffic between subnets only passes through a single router. In that case, you don’t have a powerful control mechanism like a firewall that allows you to monitor incoming and outgoing packets closely.
The best security method to protect networks is isolation at the VLAN and Subnet levels. Each subnet is assigned to its physical VLAN, and a firewall such as Next Generation Firewalls (NGFW) will monitor the traffic between VLANs/ Subnets.