Tag: vlan

Network Virtualization

(Part I) Network Virtualization

This is the first part in the series of posts dedicated to network virtualization and path isolation.

Virtualization is a technique of simulating a hardware device by using software, usually on standard x86 CPU based servers. Hardware devices that are being virtualized are (in the order from most common) servers, firewalls, switches and routers. Almost all devices that you can think of can be virtualized, we listed the most common ones used within network operations. By using virtualization, we are able to run multiple virtual instances (virtual contexts) of a device, in the same way like we would run “real” hardware devices. Each of these virtualized instances is, of course, running independently and usually operating with separate configuration, enabling separation by purpose. Virtual instances are usually running as multiple contexts on specialised, virtualization enabled device or as Virtual Machines (VMs) on a Hypervisor platform like VMWare of Hyper-V.

Network Virtualization is part of above explained virtualization. It is virtulization of networking devices. We are using network virtualization with VLANs on switches to enable multiple broadcast domains (LAN segments) to be connected on one single switch. We are doing the same thing on layer 3 with enabling the router to run multiple routing instances by implementing VRF configuration on it. With VRF we are splitting the router into multiple routers, with VLANs we are splitting switch into multiple switches. We are doing this with the use of software but only on specialized hardware devices that are virtualization enabled.

There are two network elements we can virtualize

Network virtualization can be as simple as running firewall on a VMWare host. In this case we are just skipping the usage of real hardware appliance for firewalling task.

Things can get more complex with requirements for path isolation. Different categories of traffic then need to use same physical devices and their interconnections and have complete data communication isolation between them. Here we are in a situation where we will need to virtualize not only the above mentioned firewall but also router forwarding plane and interconnections between network devices.


VRF enables the router to run more “virtual” instances of routing and forwarding table. VLANs separate switch port groups into separate broadcast domains/isolated segments. Firewall can have trunk link with subinterfaces of which each one is separate zone forwarding traffic for one router VRF. Image on top shows three different isolated paths which are forwarded through same devices/interconnections. Below, physical topology is shown.

Ok that’s it! We can not only virtualize network devices but the paths between them to. Let’s see what that means.

Unidirectional communication filter between two VLANs

Block Traffic among two VLAN’s but only in one way, how to do that?

VLAN and VLAN configurations are very useful in all kinds of different ways. This configuration will be useful sooner or later for all network administrators out there.

UPDATE on 01 Sep 2017:
This article is about reflexive access-list which enable some sort of false statefulness for TCP traffic going through your router. After some feedbacks from my readers, I wrote another, a bit better article about reflexive access-list configuration so I suggest reading the other one as well.

It was a big challenge to resolve this tricky communication security requirement. The problem actually does not seem like a big deal but when you try to make it work you see that it is.


The goal was to make unidirectional communication filter between two VLANs. The request was to allow VLAN 10 to access VLAN 20 but not the opposite. The computers from VLAN 10 needed to access resources in VLAN 20 normally but computers from VLAN 20 had to be prevented to access VLAN 10. 

Routing between VLANs

The VLAN hosts reside in their own broadcast domain and can interact /communicate quite freely. VLANs can build partition of network as well as separation of traffic at layer 2 of the OSI, and as we have discussed earlier about the need of routers, in order to host or if you want any other device to interact between VLANs, then it is essential to use layer-3 device.

The division of the LAN into multiple VLAN is basically the same like separating them into different physical LANs. In this case is clear that you will need a router if you want to go from one LAN to another.

Trunking Methods – VLAN Identification methods across multiple switches

Frame Tagging

It is possible to build VLANs to pair number of connected switches. In the figure below you can see that the hosts from different VLANs are spread throughout number of switches. The biggest advantage to implement VLANs is its flexible and power-packed nature. The drawback is that it can become complicated—also for a switch— so it is important to have a way through which keeping the track of each one is easy i.e. all the users and frames when they travel the VLANs  and switch fabric. (Switch fabric is actually referred to as a group of switches that shares the same information of VLAN.)

VLANs – Trunk and Access link types

The frames are actually switched all over the internetwork, it is important for the switches to keep the record of all the various kinds of frames, and also know how to utilize it on the basis of the hardware address. The management of frames is done in a different manner depending on the kind of link they are passing through.

In the switched environment there are two various kinds of links access and trunk links: