Managing virtual local area networks (VLANs) isn’t always easy. When setting up VLANs you must create them on your switches with their VLAN IDs and then you must assign the ports, users, or machines to a particular VLAN ID. On smaller networks, this is pretty simple and straightforward. But as you may already know, it becomes more complex on larger networks with multiple switches and dozens or more of users. Having equipment from multiple vendors doesn’t help either.
First you must choose a VLAN tagging protocol, which identifies the VLAN network frames are assigned to as they flow throughout multiple switches. Using switches supporting the IEEE 802.1Q standard is ideal for multiple vendor support; instead of proprietary protocols like Cisco’s Inter-switch link (ISL).
Next you need to select a VLAN trunking protocol, which synchronizes the VLAN information across all your switches so you can more easily create and modify VLANs. Using switches supporting IEEE 802.1Q standard version 2005 or later provides you with the multiple VLAN registration protocol (MVRP). This is ideal for multiple vendor support, instead of proprietary protocols like Cisco’s VLAN trunk protocol (VTP) or dynamic trunking protocol (DTP).
Finally, you should figure out the method you want to use to assign VLAN IDs to your ports, users, and machines. You could statically assign, for example, certain switch ports on a switch or certain SSIDs on access points (APs) to specific VLANs, so any user or device connecting through that port or SSID will be assigned to that VLAN. However, dynamic VLAN assignments, for instance, based upon the user or the MAC address of the connecting device is typically best so users and devices will be assigned to their VLAN no matter where they connect from.
For dynamic VLAN assignments, Cisco provides the VLAN management policy server (VMPS) with select switches to allow automated VLAN assignments based on the MAC address of devices. However, for Cisco or any other vendor consider using 802.1X, which provides port-based network access control to authenticate devices attempting to connect to a LAN or WLAN. Additionally, it supports dynamically assigning specific users, groups, or machines to VLANs. You could define VLAN assignments for the entire network at a single RADIUS server (required for 802.1X) or an external database.
Network management solutions
Most third-party network management solutions support VLAN among other network configuration for networking gear from multiple vendors. But you should double-check for support of your particular vendors and models. Here are a few network configuration and management solutions you may want to consider:
- HP (OpsWare) Network Automation
- ManageEngine Device Expert
- EMC Ionix Network Configuration Manager
- Solarwinds Orion Network Configuration Manager
RADIUS servers for dynamic VLANs assignments
Naturally, all RADIUS servers will allow dynamic VLAN assignments by defining RADIUS attributes for particular users or user groups. So for Windows Server deployments, you could use the network policy server (NPS) or Internet authentication service (IAS). Or you could use other servers like the free and open source FreeRADIUS or FreeNAC that both support 802.1X-based VLAN assignments in addition to Cisco’s VMPS.
802.1Q tagging and 802.1X authentication are the key to deploying VLANs, especially on heterogeneous networks. If you’re working with older equipment that doesn’t have VLAN protocols or management tools (or are proprietary), consider upgrading to newer gear that supports 802.1Q and 802.1X. And if you have a WAN, you should ensure you have the 802.1Q support in your routers and firewalls as well so you can deploy consistent VLANs across the multiple locations.
Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity that helps businesses protect their Wi-Fi with enterprise (802.1X) security and On Spot Techs that provides on-site computer services.