01/04/2026 VLANs in Virtualised Environment

VLANs are just LANs

When configuring networks in a modern virtualised enviroments, VLAN is an essential tool to effectively manage the access control strategy in a large enterprise network.

VLANs, as its name suggest, are simply virtual Local Area Networks (LAN). Similar to LANs, ommunication within the VLAN can be achieved on the Network level (Layer 2), and cross network traffic can only be achieved by cross network Layer 3 functionalities. 

Traditionally, each network had its own physical switch, and access is restricted by physical connections. When a computer wants to send a package to a destination outside of the network, it would check on the subnet mask of the network its on, realise the destination is not within the subnet, and direct the package to the mac address of the Gateway, where the Router (Layer 3) would pick this up and forward to the target network according to the routing table.

How the switch does it

This physical approach quickly becomes impossible on Enterprise scale virtualisation, where each physical host can host 10s even 100s of virtual machines (VMs) serving different functions and should belong to different LANs. This is where VLAN comes to use. 

Running multiple networks on the same physical switch is enabled by adding VLAN recognition to switches. This results in a modern Managed Switch. The Managed Switch will read source VLAN tags added to each package, and perform the following:

• If source and destination are in the same VLAN, treat as LAN traffic

• If source and destination are in different VLAN, forward to the gateway for Layer 3 Routing

By following the simple rules, Layer 2 Switch is able to host many different Networks on the same physical switch.

Some mordern switches also came with Layer 3 functionalities, just like a built in router, so intra Physical Switch but inter VLAN traffic can be correctly routed without having to send out to the Router and back, saving gateway bandwidth.

What does this look like in a Virtualised Environment

Let's take an extremely simplified example set up:

• 2 Physical Hosts

• 2 VLANs

• Layer 2 VSwitch

• Physical connection to Layer 3 Switch

This is a common set up, there are other set ups suitable for different demand. For example, sometimes vswitch themselves can perform Layer 3 functions, so intra Host inter VLAN traffic can be processed locally.

In this set up there are 4 scenarios:

• Same Host same VLAN

  • VM A10-1 to VM A10-2

• Same Host different VLAN

  • VM A10-1 to VM A20

• Different Host same VLAN

  • VM A10-1 to VM B10

• Different Host different VLAN

  • VM A10-1 to VM B10

I'll go through each scenario

Same Host same VLAN

• VM A10-1 sends package to Host A VSwitch

• VSwitches inspect VLAN tag, sees source and destination in same VLAN 10

• Send package to destination VM A10-2

Same Host different VLAN

• VM A10-1 sends package to Host A VSwitch

• Host A VSwitch inspect VLAN tag, sees source and destination in different VLAN, 10 and 20

• Send package to Gateway - Physical Layer 3 Switch

  • Physical Layer 3 switch route package following pre-defined ACL. If permitted, Layer 3 switch rewrite the Layer 2 header with VLAN 20

  • Layer 3 Switch sees the destination is in Host A VSwitch, sends package to Host A VSwitch 

• Host A VSwitch receives package with VLAN tag 20, same as destination VLAN (20), send package to destination VM A20

Different Host same VLAN

• VM A10-1 sends package to Host A VSwitch

• Host A VSwitch sees destination address is not mapped to any of its own port, sends package to upstream Layer 3 Switch

• Physical Layer 3 Switch receives package, sees destination is in Host B VSwitch, sends package to Host B Switch (this happens entirely at Layer 2, no Layer 3 functionality is invoked despite going through the Layer 3 Switch)

• Host B VSwitch receives package, inspect source and destination VLAN are the same, send package to destination VM B10

Different Host different VLAN

• VM A10-1 sends package to Host A VSwitch

• Host A VSwitch inspect VLAN tag, sees source and destination in different VLAN, 10 and 20

• Send package to Gateway - Physical Layer 3 Switch

  • Physical Layer 3 switch route package following pre-defined ACL. If permitted, Layer 3 switch rewrite the Layer 2 header with VLAN 20

  • Layer 3 Switch sees the destination is in Host B VSwitch, sends package to Host B VSwitch 

• Host B VSwitch receives package with VLAN tag 20, same as destination VLAN (20), send package to destination VM B20