All 14 articles in this series are now available in our free eBook ‘Understanding IP Production Networks - 2026 Edition’ – download it HERE.

All articles are also available individually:

Virtual Local Area Networks (VLANs) work over Ethernet, that is the layer-2 level. They are similar to subnets but not the same and provide network security and improved performance.

IP has been successful within the internet and media domain as it is transport stream independent. That is, it can work with Ethernet, ISDN, ATM, serial and a whole plethora of different underlying hardware distribution networks.  Video and audio streams provide a comparative analogy as they can both exist independently of SDI or computer networks.

A single Ethernet network can have thousands of devices connected to it using hubs, switches, and bridges.

Hubs are rarely used as they replicate all the traffic on one port to all the ports on the rest of the hub, causing an increased likelihood of congestion and collisions, especially in high bandwidth video and audio applications.

Switch Types

Switches are available in two varieties: managed and un-managed. An un-managed switch learns which devices are connected to each of its physical ports. When an IP camera wants to send video streams to a production switcher with IP address 10.2.1.9, it first sends an address resolution protocol (ARP) query, which says “who has IP address 10.2.1.9 and can you send me your Ethernet address?” The ARP query is sent to all devices connected to the layer-2 switch using an Ethernet broadcast message.

The production switcher responds with its Ethernet address; the camera then sets its destination Ethernet address to be that of the production switcher answering the ARP query. The un-managed layer-2 switch monitors this interaction and learns which port 10.2.1.9 is connected to, and from then on will only send traffic for the device to the port it is connected to, in effect reducing congestion on the rest of the network, thus stopping collisions and improving efficiency.

Un-managed layer-2 switches do not require configuration and cannot be used as VLAN devices. Managed layer-2 switches allow more control over the network such as data rate shaping, quality of service (QoS) configuration and VLAN ports.

A group of switches define a network, and bridges will link several networks together of the same protocol type. In the case of Ethernet this is a layer-2 bridge. So, if Studio-1 is in one building and Studio-2 in another, a bridge can be used to link the two different networks together at the layer-2 level.

At layer-3, if the IP address of a packet cannot be resolved in the network, it is sent to a gateway router. The router has look up tables with destination addresses so that it can forward the packet to another network, which may also be a different protocol such as Asynchronous Transfer Mode (ATM).

Ethernet bridges differ from routers as they can only route layer-2 traffic between networks of the same type, for example Ethernet. But if the user wants to send a packet to a network of a different type, for example an Asymmetric Digital Subscriber Line (ADSL), a router must be used.

The fundamental problem with this approach is that within a single Ethernet network, all devices can be seen by all other devices. Camera-1 in studio-1 could send data to the sound console in studio-3, even with a managed switch. This may increase flexibility, but the network becomes congested extremely quickly and security is an obvious issue. Equipment may stop working properly as a sound console would not respond well to having data from many cameras relentlessly streamed to it.

How VLANs Help

Virtual LANs (VLANs) are a solution to both these problems.

When configured to operate in VLAN mode, Layer-2 switches can logically separate an entire Ethernet network into many different logical networks. The key here is “logical”; the devices can still be connected to the same physical switcher, but the ports can be labelled with different VLAN identifiers (VLAN ID’s).

The algorithms within the switches stop Ethernet frames being sent to ports with different VLAN ID’s, thus greatly improving security and congestion handling.

The layer-2 switch inserts the VLAN ID into the header of an Ethernet frame as it enters the switch, sends it to the appropriate port, and just as the frame leaves the switch at the destination end the VLAN ID data is removed. From the point of view of the user the VLAN ID is never seen.

Each port on the switch can be configured as either an access type or trunk type. Access ports can have only one VLAN configured in the interface and carry traffic for only one VLAN. Trunk ports can have two or more VLANs configured on the interface and can carry several VLANs simultaneously. Trunk ports are generally used to route VLANs to different switches.

Although each access interface can have only one VLAN, there can be many different VLAN IDs on the same switch. This is where the logical separation, security and reduction of congestion take place. If port 1 has VLAN1, port 2 has VLAN2 and port 3 has VLAN3 configured in the switch, then none of the devices connected on each of these ports can see the other devices. So, if camera 1 is connected on VLAN1, microphone 1 is connected to VLAN2, then camera 1 media streams cannot be sent to the microphone on VLAN2.

Security Functionality

Sometimes a device may need access to a different VLAN. If the producer’s computer in Studio-1 was attached to VLAN11 and they needed email access which was on VLAN90, then a router would be needed to connect the two networks together. This doesn’t compromise security as the network administrator will be able to configure the router to allow only email traffic to the computer.

Furthermore, any communication between VLANs must take place through a router or bridging switch, and this provides a convenient choke point to facilitate security monitoring as well as rate shaping, inspection and logging. This further improves security as system administrators can look for anomalies in traffic flows, such as unexpected high volume datarates signifying denial of service attacks.

As each IP subnet is usually aligned to a VLAN ID, it makes administration easier and routing between different VLAN’s more intuitive. Some layer-2 switches have layer-3 routers built into them allowing routing between VLANs. If the layer-2 switch does not have a router built into it, then an external layer-3 router must be used.

VLANs isolate traffic at Layer-2, preventing every device on a switch from sharing the same broadcast domain.  In a flat network, any endpoint can observe ARP broadcasts and Dynamic Host Configuration Protocol (DHCP) exchanges, along with a range of other discovery traffic. For an attacker, these protocols are invaluable: they reveal how the network is structured, what devices are present, and how addressing is assigned. More importantly, they enable ARP and DHCP spoofing, providing a pathway to man-in-the-middle attacks.

Both ARP and DHCP were created in an era when networks were implicitly trusted, and security threats were barely considered. As a result, neither protocol verifies the identity of participating devices, nor do they encrypt their data. Endpoints simply accept whatever ARP replies or DHCP offers they receive. This lack of authentication and integrity checking makes them an ideal target for hostile manipulation.

By intercepting ARP traffic, an attacker can inject forged ARP entries mapping the victim’s IP address to the attacker’s MAC address. This positions the attacker directly in the return path, enabling full two-way interception. From there, they can inspect and modify packets, harvest credentials, redirect users to fraudulent destinations, capture media streams, or degrade service quality.

Similarly, a rogue DHCP server that answers faster than the legitimate one can supply malicious configuration data. This includes directing clients to a hostile DNS server or injecting tailored routing information, giving the attacker control over traffic flows and the ability to isolate or disrupt devices across the network.

Detecting ARP and DHCP spoofing is challenging because ARP chatter and DHCP lease traffic appear normal, and forged packets are indistinguishable without dedicated safeguards. VLAN segmentation therefore becomes an essential defense.

It contains broadcast traffic within a defined domain and prevents attackers who compromise a single device from moving laterally across the network. Although an intruder may still operate within the infiltrated VLAN, the blast radius is significantly constrained, limiting the overall damage they can inflict.

Although VLAN segmentation is a critical foundation of network security, it is only one layer of protection; effective defense requires several additional measures working in harmony alongside it.