What is VLAN Tagging?

Written by Nick Scheidies on February 16, 2019

Share This Article

The best IT admins are always looking for ways to step-up their network security. One of the most impactful measures is to segment your network and control traffic via VLAN (virtual local area network) tagging. But if you’ve never segmented a network before and you don’t know the difference between tagged and untagged VLAN or why VLAN tagging is important, then you’ve come to the right place. Below, we’ll answer the question, “What is VLAN tagging?” and explain how it works. We’ll also explore some of the challenges and opportunities with VLAN tagging and why you might want to begin taking advantage of the latest in cloud RADIUS.

What is VLAN Tagging?

Essentially, VLAN tagging is the process of segmenting the network into several distinct network sections, and then placing systems and IT resources in those various segments. The rationale behind this approach is to step up security and balance performance or quality of service issues.

Here are some common use cases for VLAN tagging:

  • Managing access based on location (e.g. by floor or room)
  • Separating credit card transactions from other network activity.
  • Controlling resource access across departments (e.g. finance, sales, engineering).

VLAN tagging is also often known as dynamic VLAN assignment or VLAN steering.

How VLAN Tagging Works

VLAN Assignment Network Segmentation

The process of using VLAN tagging starts by creating separate segments of the network, often called VLANs. With most networks now using WiFi, IT admins simply create the VLANs in their wireless access point (WAP) management system. Each VLAN is given an identifier tag, which will be used later in VLAN monitoring.

The next part of the process is integrating these VLAN tags into the process of authentication and dynamically placing users and their systems into the correct VLAN. Generally, this is done automatically through the use of the RADIUS protocol and a RADIUS server.

As a user logs into the network, they are authenticated by the RADIUS server which verifies credentials with the identity provider. Assuming that the user passes, then the RADIUS server will provide RADIUS reply attributes, which specify which VLAN the user should be placed in. The WAPs then place the user and their device into the correct location.

By creating VLAN tags and then placing users in those VLANs by leveraging the tags by either group or individual user, IT admins are better able to control access across their network. The end result is a substantial improvement in network security.

Challenges and Opportunities

The process that we laid out above can be quite tedious and time consuming, so it isn’t surprising that most organizations aren’t using VLAN tagging. Smaller organizations generally don’t need to segment their networks, even if it would be beneficial for security and efficiency. The cost of maintaining and configuring a RADIUS server can be prohibitive for startups and SMBs – not to mention the expertise required to keep everything working as it should (or to troubleshoot effectively when it doesn’t).

As companies grow, the need for true network engineering grows. In our experience, it’s usually around the 100 employee benchmark when sysadmins and network architects begin seriously considering VLAN tagging.

The good news is that a cloud RADIUS platform is taking a great deal of the heavy lifting out of the process of implementing dynamic VLAN assignments. Just as cloud-based tools have done in the past with email, apps, and storage, RADIUS-as-a-Service absolves the need to configure and maintain an on-prem server. This solution, called JumpCloud Directory-as-a-Service, is opening up the door for better network security for organizations of all sizes.

Segment & Secure Your Network with JumpCloud

Cloud based identity and access management

If you already have a JumpCloud account, you can begin using cloud VLAN attributes to apply custom network policies right now. Just use the new RADIUS reply attributes functions within the JumpCloud PowerShell Module to configure and return RADIUS reply attributes, like VLAN tags. With just a few lines of code, you can gain fine-grained control over the authentication and authorization of groups of users to your networks. See our Knowledge Base for step-by-step instructions.

If you don’t yet have JumpCloud, but you’re interested in a lightweight way to improve your network security, then take a look at our Directory-as-a-Service platform. In addition to our cloud-based RADIUS offering, JumpCloud features robust user and system management, SSO, MFA, and LDAP-as-a-Service. Get a demo now – or sign up for a free account to get started with the platform, risk-free.

Nick Scheidies

Nick is a content marketing manager and multimedia specialist. He's been studying the intersection of cloud technology with identity management, LDAP, RADIUS, and directory services since 2015.

Continue Learning with our Newsletter