17.1 Introduction

In today’s distributed enterprise environments, branch offices are no longer isolated outposts but critical extensions of the corporate network, requiring robust, secure, and agile connectivity. Software-Defined Wide Area Networking (SD-WAN) has emerged as a transformative technology, enabling intelligent traffic steering, enhanced security, and simplified management across diverse WAN links. Central to successfully integrating branch offices into an SD-WAN fabric is the meticulous design and deployment of Virtual Local Area Networks (VLANs).

This chapter delves into the intricacies of VLAN deployments within SD-WAN and branch office contexts. We will explore the fundamental technical concepts, including advanced VLAN standards like IEEE 802.1Q and 802.1ad, and how they integrate into modern SD-WAN architectures. You will gain practical knowledge through multi-vendor configuration examples, learn to automate VLAN management using Ansible and Python, understand critical security considerations, and master troubleshooting techniques. By the end of this chapter, you will be equipped to design, implement, and maintain scalable and secure VLAN infrastructures for SD-WAN-enabled branch offices.

17.2 Technical Concepts

17.2.1 SD-WAN Architecture and Branch Integration

SD-WAN decouples the control plane from the data plane, centralizing network intelligence and enabling policy-driven management across various WAN transport services (MPLS, internet broadband, 5G). Branch offices connect to this fabric via SD-WAN edge devices (CPEs) that establish secure overlays (e.g., IPSec or DTLS tunnels) to central hubs or other branches. Within the branch, VLANs play a crucial role in segmenting local traffic before it enters the SD-WAN tunnel, ensuring proper classification, Quality of Service (QoS), and security policies are applied.

@startuml
!theme mars

' Step 1: Define ALL elements first
cloud "Internet/WAN" as WAN {
    node "ISP A" as ISP_A
    node "ISP B" as ISP_B
}

rectangle "Headquarters (HQ)" as HQ {
    component "SD-WAN Orchestrator" as ORCH
    node "SD-WAN Hub Router" as HQ_HUB
    node "Core Switch" as HQ_SW
    database "Central Services" as CENTRAL_SVC
}

rectangle "Branch Office 1" as BRANCH1 {
    node "SD-WAN Edge Device (CPE)" as BR1_CPE
    node "Branch Switch" as BR1_SW
    node "Corporate LAN (VLAN 10)" as CORP_LAN_BR1
    node "Guest Wi-Fi (VLAN 20)" as GUEST_WIFI_BR1
    node "Voice/VoIP (VLAN 30)" as VOICE_BR1
}

' Step 2: Then connect them
ORCH -- BR1_CPE : Policy & Control
ORCH -- HQ_HUB : Policy & Control

ISP_A <--> BR1_CPE : Underlay
ISP_B <--> BR1_CPE : Underlay
WAN <--> HQ_HUB : Underlay

BR1_CPE <--> HQ_HUB : SD-WAN Overlay Tunnels

BR1_CPE <--> BR1_SW : Trunk Link
BR1_SW <--> CORP_LAN_BR1 : Access Port
BR1_SW <--> GUEST_WIFI_BR1 : Access Port
BR1_SW <--> VOICE_BR1 : Access Port

HQ_HUB -- HQ_SW : Trunk Link
HQ_SW -- CENTRAL_SVC : Access Port

@enduml

17.2.2 VLAN Fundamentals in Branch Deployments

In a traditional branch, VLANs provide logical segmentation, isolating broadcast domains and enhancing security. In an SD-WAN branch, this segmentation remains vital. Common VLANs found in a branch office include:

  • Corporate Data VLAN: For employee workstations, servers, and business applications.
  • Voice/VoIP VLAN: Dedicated for IP phones to ensure QoS and prioritize voice traffic.
  • Guest Wi-Fi VLAN: Isolated network for visitors, often with internet-only access.
  • IoT/OT VLAN: For operational technology or smart devices, often requiring strict access control.
  • Management VLAN: For out-of-band or in-band management of network devices.
  • Native VLAN: A VLAN used for untagged traffic on a trunk port. For security, it’s best practice to use an unused VLAN ID for the native VLAN and ensure it’s not VLAN 1.

The SD-WAN edge device or a Layer 3 switch often performs inter-VLAN routing at the branch.

17.2.3 IEEE 802.1Q and 802.1ad (QinQ)

IEEE 802.1Q: This standard defines the tagging mechanism for VLANs on Ethernet frames. It inserts a 4-byte tag into the Ethernet frame header, including a 12-bit VLAN ID (allowing for 4096 VLANs), a 3-bit Priority Code Point (PCP) for QoS, and a 1-bit Canonical Format Indicator (CFI). This tag enables a single physical link to carry traffic for multiple logical VLANs.

packetdiag {
  colwidth = 64
  0-47: Destination MAC Address
  48-95: Source MAC Address
  96-111: EtherType (0x8100 for 802.1Q)
  112-114: Priority (PCP)
  115: CFI
  116-127: VLAN ID (VID)
  128-143: Length/Type
  144-X: Payload (Data)
  X-Y: Frame Check Sequence (FCS)
}

IEEE 802.1ad (QinQ): Also known as “Provider Bridges” or “802.1Q in 802.1Q,” this amendment extends 802.1Q by allowing multiple VLAN tags (an outer “service provider” tag and an inner “customer” tag) to be inserted into a single Ethernet frame. This is primarily used by service providers to offer VLAN services to multiple customers over a shared infrastructure while keeping customer VLANs separate.

While 802.1ad is less common for internal branch office VLAN segmentation, it may be used by the SD-WAN service provider for the WAN transport itself, encapsulating the branch’s local VLAN traffic within an outer tag for transport across the provider network. This ensures customer VLAN IDs don’t conflict and allows the provider to manage their network efficiently.

packetdiag {
  colwidth = 64
  0-47: Destination MAC Address
  48-95: Source MAC Address
  96-111: S-EtherType (0x88A8 for 802.1ad)
  112-114: S-Priority (PCP)
  115: S-CFI
  116-127: S-VLAN ID (Service Provider VID)
  128-143: C-EtherType (0x8100 for 802.1Q)
  144-146: C-Priority (PCP)
  147: C-CFI
  148-159: C-VLAN ID (Customer VID)
  160-X: Payload (Data)
  X-Y: Frame Check Sequence (FCS)
}

17.2.4 Control Plane vs. Data Plane

In the context of VLANs at a branch:

  • Control Plane: This involves protocols that manage VLANs and their state. Examples include VLAN Trunking Protocol (VTP) or Generic Attribute Registration Protocol (GARP VLAN Registration Protocol - GVRP) for dynamically distributing VLAN information (though VTP is often discouraged due to security concerns). Also, STP instances per VLAN (PVST+, Rapid PVST+) operate in the control plane to prevent loops.
  • Data Plane: This is where actual user traffic flows based on VLAN tags. Switches forward frames based on their VLAN ID, and routers perform inter-VLAN routing by forwarding packets between different VLAN Sub-interfaces (SVIs/IRBs).

17.2.5 Branch Network Segmentation and Traffic Flow 

nwdiag {
  network corporate {
    address = "10.10.10.0/24"
    color = "#CCFFCC"
    description = "VLAN 10: Corporate Data"
    BR_SW [address = "10.10.10.1", shape=box];
    UserPC [address = "10.10.10.10"];
    FileSvr [address = "10.10.10.20"];
  }

  network voice {
    address = "10.10.30.0/24"
    color = "#CCE0FF"
    description = "VLAN 30: Voice/VoIP"
    BR_SW [address = "10.10.30.1", shape=box];
    IP_Phone [address = "10.10.30.15"];
  }

  network guest {
    address = "10.10.20.0/24"
    color = "#FFCCCC"
    description = "VLAN 20: Guest Wi-Fi"
    BR_SW [address = "10.10.20.1", shape=box];
    GuestAP [address = "10.10.20.5"];
    GuestClient [address = "10.10.20.25"];
  }

  network management {
    address = "10.10.99.0/24"
    color = "#FFFFCC"
    description = "VLAN 99: Management"
    BR_SW [address = "10.10.99.1", shape=box];
    BR_CPE [address = "10.10.99.2"];
  }

  network trunk {
    color = "#DDDDDD"
    description = "Trunk Links"
    BR_SW;
    BR_CPE;
  }

  BR_CPE -- WAN_Overlay;
}

This nwdiag depicts a typical branch setup where a Branch Switch (BR_SW) connects various VLANs. The BR_SW also connects to the SD-WAN Edge (BR_CPE) via a trunk link, allowing tagged traffic for all relevant VLANs to pass through. The BR_CPE then routes traffic from these VLANs into the appropriate SD-WAN overlay tunnels.

17.3 Configuration Examples

These configurations demonstrate basic VLAN setup, interface assignment, and inter-VLAN routing (SVI/IRB) on common branch devices. Assume the SD-WAN edge device is performing Layer 3 functions for the branch.

17.3.1 Cisco IOS XE Configuration

This example shows VLAN creation, interface configuration as access/trunk, and SVI creation for inter-VLAN routing on a Cisco SD-WAN Edge Router or a Catalyst switch at a branch.

! Cisco IOS XE Configuration Example
! Device: SD-WAN Edge Router (acting as Layer 3 switch for branch) or Branch L3 Switch

! Global VLAN creation
vlan 10
 name CORPORATE_DATA
vlan 20
 name GUEST_WIFI
vlan 30
 name VOICE_VOIP
vlan 99
 name MANAGEMENT
vlan 100
 name NATIVE_UNUSED ! Best practice: use an unused VLAN for native

! Interface Configuration - Access Ports
interface GigabitEthernet0/1
 description "Corporate PC Connection"
 switchport mode access
 switchport access vlan 10
 switchport port-security maximum 5
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 speed auto
 duplex auto
!
interface GigabitEthernet0/2
 description "Guest AP Uplink"
 switchport mode access
 switchport access vlan 20
 speed auto
 duplex auto
!
interface GigabitEthernet0/3
 description "IP Phone and PC (Voice VLAN)"
 switchport mode access
 switchport access vlan 10 ! PC in data VLAN 10
 switchport voice vlan 30  ! IP Phone in voice VLAN 30
 speed auto
 duplex auto
!

! Interface Configuration - Trunk Port to downstream L2 Switch or another L3 device
interface GigabitEthernet0/4
 description "Uplink to Branch L2 Switch"
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 100 ! Best practice: non-default native VLAN
 switchport trunk allowed vlan 10,20,30,99,100
 speed auto
 duplex auto
!

! SVI (Switched Virtual Interface) for Inter-VLAN Routing
interface Vlan10
 description "Corporate Data VLAN SVI"
 ip address 10.10.10.1 255.255.255.0
 no shutdown
!
interface Vlan20
 description "Guest Wi-Fi VLAN SVI"
 ip address 10.10.20.1 255.255.255.0
 no shutdown
!
interface Vlan30
 description "Voice/VoIP VLAN SVI"
 ip address 10.10.30.1 255.255.255.0
 no shutdown
!
interface Vlan99
 description "Management VLAN SVI"
 ip address 10.10.99.1 255.255.255.0
 no shutdown
!

! Security best practice: Shut down unused ports
interface range GigabitEthernet0/5 - 0/24
 shutdown
!

! Verification Commands
show vlan brief
show interfaces trunk
show interfaces status
show ip interface brief

17.3.2 Juniper JunOS Configuration

This example shows VLAN creation, interface configuration as access/trunk, and IRB (Integrated Routing and Bridging) creation for inter-VLAN routing on a Juniper SRX or EX Series switch at a branch.

# Juniper JunOS Configuration Example
# Device: Juniper SRX (acting as Layer 3 switch for branch) or EX Series Switch

edit vlans
set VLAN_CORPORATE vlan-id 10
set VLAN_CORPORATE l3-interface irb.10
set VLAN_GUEST vlan-id 20
set VLAN_GUEST l3-interface irb.20
set VLAN_VOICE vlan-id 30
set VLAN_VOICE l3-interface irb.30
set VLAN_MANAGEMENT vlan-id 99
set VLAN_MANAGEMENT l3-interface irb.99
set VLAN_NATIVE_UNUSED vlan-id 100 # Best practice: use an unused VLAN for native
exit

edit interfaces

# Interface Configuration - Access Ports
set ge-0/0/1 description "Corporate PC Connection"
set ge-0/0/1 unit 0 family ethernet-switching vlan members VLAN_CORPORATE

set ge-0/0/2 description "Guest AP Uplink"
set ge-0/0/2 unit 0 family ethernet-switching vlan members VLAN_GUEST

set ge-0/0/3 description "IP Phone and PC (Voice VLAN)"
set ge-0/0/3 unit 0 family ethernet-switching port-mode access
set ge-0/0/3 unit 0 family ethernet-switching vlan members VLAN_CORPORATE
set ge-0/0/3 unit 0 family ethernet-switching voice vlan 30 # For voice-aware ports

# Interface Configuration - Trunk Port to downstream L2 Switch or another L3 device
set ge-0/0/4 description "Uplink to Branch L2 Switch"
set ge-0/0/4 unit 0 family ethernet-switching port-mode trunk
set ge-0/0/4 unit 0 family ethernet-switching vlan members [ VLAN_CORPORATE VLAN_GUEST VLAN_VOICE VLAN_MANAGEMENT ]
set ge-0/0/4 unit 0 family ethernet-switching native-vlan members VLAN_NATIVE_UNUSED # Best practice: non-default native VLAN

# IRB (Integrated Routing and Bridging) for Inter-VLAN Routing
set irb unit 10 family inet address 10.10.10.1/24
set irb unit 20 family inet address 10.10.20.1/24
set irb unit 30 family inet address 10.10.30.1/24
set irb unit 99 family inet address 10.10.99.1/24

# Security best practice: Disable unused ports
set interfaces ge-0/0/5 disable
set interfaces ge-0/0/6 disable
# ... up to ge-0/0/23 (assuming 24 ports)

commit and-quit

# Verification Commands
show vlans
show interfaces trunk
show interfaces ge-0/0/1 extensive
show interfaces irb

17.4 Network Diagrams

(Diagrams are integrated into the “Technical Concepts” section for better context.)

17.5 Automation Examples

Automating VLAN deployment is crucial for consistency and efficiency, especially across numerous branch offices.

17.5.1 Ansible Playbook

This Ansible playbook automates the creation of VLANs and configuration of switchports on Cisco IOS XE devices.

---
- name: Configure Branch Office VLANs and Interfaces on Cisco IOS XE
  hosts: branch_ios_xe_devices
  gather_facts: false
  connection: network_cli

  vars:
    ansible_network_os: cisco.ios.ios
    vlans:
      - id: 10
        name: CORPORATE_DATA
      - id: 20
        name: GUEST_WIFI
      - id: 30
        name: VOICE_VOIP
      - id: 99
        name: MANAGEMENT
      - id: 100
        name: NATIVE_UNUSED
    access_ports:
      - name: GigabitEthernet0/1
        description: "Corporate PC Connection"
        vlan: 10
        voice_vlan: null # Not a voice port
      - name: GigabitEthernet0/2
        description: "Guest AP Uplink"
        vlan: 20
        voice_vlan: null
      - name: GigabitEthernet0/3
        description: "IP Phone and PC"
        vlan: 10
        voice_vlan: 30
    trunk_ports:
      - name: GigabitEthernet0/4
        description: "Uplink to Branch L2 Switch"
        native_vlan: 100
        allowed_vlans: "10,20,30,99,100"
    svis:
      - id: 10
        ip_address: "10.10.10.1"
        netmask: "255.255.255.0"
      - id: 20
        ip_address: "10.10.20.1"
        netmask: "255.255.255.0"
      - id: 30
        ip_address: "10.10.30.1"
        netmask: "255.255.255.0"
      - id: 99
        ip_address: "10.10.99.1"
        netmask: "255.255.255.0"
    unused_ports_range: "GigabitEthernet0/5-24" # Adjust as per device

  tasks:
    - name: Create VLANs
      cisco.ios.ios_vlans:
        config: ""
        state: merged

    - name: Configure access ports
      cisco.ios.ios_interfaces:
        config:
          - name: ""
            description: ""
            enabled: true
            mode: access
            access_vlan: ""
            voice_vlan: ""
            # Add port security for corporate ports
            
        state: merged
      loop: ""

    - name: Configure trunk ports
      cisco.ios.ios_interfaces:
        config:
          - name: ""
            description: ""
            enabled: true
            mode: trunk
            trunk_encapsulation: dot1q
            native_vlan: ""
            trunk_allowed_vlans: ""
        state: merged
      loop: ""

    - name: Configure SVIs for inter-VLAN routing
      cisco.ios.ios_l3_interfaces:
        config:
          - name: "Vlan"
            description: "VLAN  SVI"
            ipv4:
              - address: ""
                mask: ""
        state: merged
      loop: ""

    - name: Shut down unused ports for security
      cisco.ios.ios_interfaces:
        config:
          - name: ""
            enabled: false
        state: merged

17.5.2 Python with Netmiko

This Python script uses Netmiko to connect to a Cisco IOS XE device and apply VLAN and interface configurations.

import netmiko
import yaml

# Device connection details (sensitive info usually stored securely)
DEVICE = {
    "device_type": "cisco_ios",
    "host": "your_device_ip",
    "username": "your_username",
    "password": "your_password",
    "port": 22,
}

# Configuration data (can come from a YAML file, database, etc.)
CONFIG_DATA = {
    "vlans": [
        {"id": 10, "name": "CORPORATE_DATA"},
        {"id": 20, "name": "GUEST_WIFI"},
        {"id": 30, "name": "VOICE_VOIP"},
        {"id": 99, "name": "MANAGEMENT"},
        {"id": 100, "name": "NATIVE_UNUSED"},
    ],
    "access_ports": [
        {"name": "GigabitEthernet0/1", "description": "Corporate PC Connection", "vlan": 10, "voice_vlan": None, "port_security": True},
        {"name": "GigabitEthernet0/2", "description": "Guest AP Uplink", "vlan": 20, "voice_vlan": None, "port_security": False},
        {"name": "GigabitEthernet0/3", "description": "IP Phone and PC", "vlan": 10, "voice_vlan": 30, "port_security": True},
    ],
    "trunk_ports": [
        {"name": "GigabitEthernet0/4", "description": "Uplink to Branch L2 Switch", "native_vlan": 100, "allowed_vlans": "10,20,30,99,100"},
    ],
    "svis": [
        {"id": 10, "ip_address": "10.10.10.1", "mask": "255.255.255.0"},
        {"id": 20, "ip_address": "10.10.20.1", "mask": "255.255.255.0"},
        {"id": 30, "ip_address": "10.10.30.1", "mask": "255.255.255.0"},
        {"id": 99, "ip_address": "10.10.99.1", "mask": "255.255.255.0"},
    ],
    "unused_ports_range": "GigabitEthernet0/5-24",
}

def generate_vlan_config(vlans):
    config_commands = []
    for vlan in vlans:
        config_commands.append(f"vlan {vlan['id']}")
        config_commands.append(f" name {vlan['name']}")
    return config_commands

def generate_access_port_config(access_ports):
    config_commands = []
    for port in access_ports:
        config_commands.append(f"interface {port['name']}")
        config_commands.append(f" description \"{port['description']}\"")
        config_commands.append(" switchport mode access")
        config_commands.append(f" switchport access vlan {port['vlan']}")
        if port['voice_vlan']:
            config_commands.append(f" switchport voice vlan {port['voice_vlan']}")
        if port['port_security']:
            config_commands.append(" switchport port-security maximum 5")
            config_commands.append(" switchport port-security violation restrict")
            config_commands.append(" switchport port-security mac-address sticky")
        config_commands.append(" speed auto")
        config_commands.append(" duplex auto")
    return config_commands

def generate_trunk_port_config(trunk_ports):
    config_commands = []
    for port in trunk_ports:
        config_commands.append(f"interface {port['name']}")
        config_commands.append(f" description \"{port['description']}\"")
        config_commands.append(" switchport trunk encapsulation dot1q")
        config_commands.append(" switchport mode trunk")
        config_commands.append(f" switchport trunk native vlan {port['native_vlan']}")
        config_commands.append(f" switchport trunk allowed vlan {port['allowed_vlans']}")
        config_commands.append(" speed auto")
        config_commands.append(" duplex auto")
    return config_commands

def generate_svi_config(svis):
    config_commands = []
    for svi in svis:
        config_commands.append(f"interface Vlan{svi['id']}")
        config_commands.append(f" description \"VLAN {svi['id']} SVI\"")
        config_commands.append(f" ip address {svi['ip_address']} {svi['mask']}")
        config_commands.append(" no shutdown")
    return config_commands

def generate_unused_ports_config(unused_ports_range):
    return [f"interface range {unused_ports_range}", "shutdown"]

def apply_config(device_details, config_data):
    try:
        with netmiko.ConnectHandler(**device_details) as net_connect:
            print(f"Connected to {device_details['host']}")

            full_config = []
            full_config.extend(generate_vlan_config(config_data['vlans']))
            full_config.extend(generate_access_port_config(config_data['access_ports']))
            full_config.extend(generate_trunk_port_config(config_data['trunk_ports']))
            full_config.extend(generate_svi_config(config_data['svis']))
            full_config.extend(generate_unused_ports_config(config_data['unused_ports_range']))

            print("\nSending configurations:")
            output = net_connect.send_config_set(full_config)
            print(output)
            print("Configuration applied successfully.")

            # Verification commands
            print("\n--- Verifying Configuration ---")
            print("\nshow vlan brief:\n" + net_connect.send_command("show vlan brief"))
            print("\nshow interfaces trunk:\n" + net_connect.send_command("show interfaces trunk"))
            print("\nshow ip interface brief:\n" + net_connect.send_command("show ip interface brief"))

    except Exception as e:
        print(f"An error occurred: {e}")

if __name__ == "__main__":
    apply_config(DEVICE, CONFIG_DATA)

17.5.3 Terraform for Cloud Network Integration

While Terraform doesn’t directly configure VLANs on physical branch switches, it is invaluable for provisioning the cloud network infrastructure that SD-WAN interacts with. This could include creating AWS VPCs, subnets, transit gateways, and VPN connections that act as the cloud-side “hub” for SD-WAN branches.

Here’s an example of how Terraform might provision a VPC and subnets that would host a virtual SD-WAN hub appliance or integrate with a cloud provider’s native SD-WAN capabilities.

# main.tf for AWS VPC and Subnets to host SD-WAN Hub

provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "sdwan_hub_vpc" {
  cidr_block           = "172.16.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
  tags = {
    Name = "SDWAN-Hub-VPC"
  }
}

# Public Subnet for internet-facing interfaces (e.g., SD-WAN appliance WAN interface)
resource "aws_subnet" "public_subnet" {
  vpc_id                  = aws_vpc.sdwan_hub_vpc.id
  cidr_block              = "172.16.1.0/24"
  availability_zone       = "us-east-1a"
  map_public_ip_on_launch = true
  tags = {
    Name = "SDWAN-Hub-Public-Subnet"
    Tier = "Public"
  }
}

# Private Subnet for internal services or SD-WAN appliance LAN interface
resource "aws_subnet" "private_subnet" {
  vpc_id            = aws_vpc.sdwan_hub_vpc.id
  cidr_block        = "172.16.10.0/24"
  availability_zone = "us-east-1a"
  tags = {
    Name = "SDWAN-Hub-Private-Subnet"
    Tier = "Private"
  }
}

# Internet Gateway for public subnet egress
resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.sdwan_hub_vpc.id
  tags = {
    Name = "SDWAN-Hub-IGW"
  }
}

# Route Table for public subnet
resource "aws_route_table" "public_rt" {
  vpc_id = aws_vpc.sdwan_hub_vpc.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.igw.id
  }
  tags = {
    Name = "SDWAN-Hub-Public-RT"
  }
}

resource "aws_route_table_association" "public_rt_assoc" {
  subnet_id      = aws_subnet.public_subnet.id
  route_table_id = aws_route_table.public_rt.id
}

output "vpc_id" {
  description = "The ID of the created VPC"
  value       = aws_vpc.sdwan_hub_vpc.id
}

output "public_subnet_id" {
  description = "The ID of the public subnet"
  value       = aws_subnet.public_subnet.id
}

output "private_subnet_id" {
  description = "The ID of the private subnet"
  value       = aws_subnet.private_subnet.id
}

This Terraform setup creates the foundational network within AWS. An SD-WAN virtual appliance would then be deployed into these subnets, and its internal interfaces would connect to these subnets. VLANs within these subnets are managed at a different layer (e.g., OS-level VLAN tagging on the VM or micro-segmentation within AWS, not traditional 802.1Q on the VPC itself).

17.6 Security Considerations

VLANs, while providing segmentation, are not a security panacea. Improperly configured VLANs can introduce significant vulnerabilities.

  • VLAN Hopping Attacks: Attackers attempt to jump from one VLAN to another.
    • Switch Spoofing (DTP Exploitation): An attacker’s device pretends to be a switch, negotiating a trunk link.
      • Mitigation: Disable Dynamic Trunking Protocol (DTP) on all user-facing ports. Manually configure trunk ports as switchport mode trunk and access ports as switchport mode access.
    • Double Tagging (802.1Q Exploitation): An attacker sends a frame with two 802.1Q tags. If the native VLAN is also used by an internal network, the inner tag might be processed by the destination switch in the target VLAN.
      • Mitigation: Do NOT use VLAN 1 or any other active VLAN as the native VLAN on trunks. Dedicate an unused VLAN ID (e.g., VLAN 100) as the native VLAN for all trunk ports. Ensure all trunk ports have an explicit switchport trunk native vlan <unused_vlan_id> configuration.
  • Default VLAN 1: Many switches default to VLAN 1 for all ports and management. This is a security risk.
    • Mitigation: Move all user data and management interfaces off VLAN 1. Place management interfaces in a dedicated, restricted management VLAN. Configure all unused ports to be in an unused “blackhole” VLAN and shut them down.
  • Private VLANs (PVLANs): These allow a VLAN to be segmented further into isolated and community ports within the same broadcast domain.
    • Mitigation: Use PVLANs to isolate clients within a single VLAN, preventing them from communicating directly with each other (e.g., in guest networks or multi-tenant environments).
  • Access Control Lists (ACLs) / Firewall Policies: VLANs define broadcast domains; ACLs define traffic flow between them.
    • Mitigation: Implement explicit ACLs or firewall policies on the inter-VLAN routing device (SD-WAN edge or Layer 3 switch) to control communication between different VLANs. For instance, restrict guest VLAN access to only internet resources and corporate DNS.
  • Port Security: Limits the number of MAC addresses learned on an access port.
    • Mitigation: Enable port security on all access ports to prevent unauthorized devices from connecting and to limit MAC address table overflow attacks.
  • BPDU Guard and Root Guard: Prevents rogue switches from influencing the STP topology.
    • Mitigation: Enable BPDU Guard on all access ports to shut down ports if a BPDU is received, indicating an unauthorized switch connection.

Security Warning: Never rely solely on VLANs for security segmentation. Always combine VLANs with robust access control lists, firewalls, and other security mechanisms. Always change default credentials and secure device access.

Security Configuration Example (Cisco - Port Security) 

interface GigabitEthernet0/1
 description "Corporate PC Connection with Port Security"
 switchport mode access
 switchport access vlan 10
 switchport port-security                ! Enable port security
 switchport port-security maximum 2      ! Allow 2 MACs (e.g., PC and IP Phone via PC pass-through)
 switchport port-security violation restrict ! Drop traffic, log, but keep port up
 switchport port-security mac-address sticky ! Dynamically learn and stick MACs
!
interface GigabitEthernet0/2
 description "Unused Port - Security Hardening"
 switchport mode access
 switchport access vlan 999              ! Assign to a dedicated unused/blackhole VLAN
 shutdown                              ! Shut down the port

17.7 Verification & Troubleshooting

Effective verification and troubleshooting are essential to ensure VLANs are correctly deployed and operating within the SD-WAN branch.

17.7.1 Verification Commands

Cisco IOS XE:

# Verify VLANs and their status
show vlan brief

# Verify trunk port configuration
show interfaces trunk

# Verify access port configuration
show interfaces GigabitEthernet0/1 switchport

# Verify SVI IP addresses and status
show ip interface brief

# Verify MAC address table for learned MACs on specific VLANs/interfaces
show mac address-table vlan 10
show mac address-table interface GigabitEthernet0/1

# Verify spanning-tree status per VLAN (if STP is active)
show spanning-tree vlan 10

Juniper JunOS:

# Verify VLANs and their associated interfaces
show vlans

# Verify interface configuration for trunk/access
show interfaces ge-0/0/4 terse | grep ethernet-switching
show interfaces ge-0/0/1 extensive | match "Ethernet-switching|VLAN|Link-level|Description"

# Verify IRB interface IP addresses and status
show interfaces irb.10
show interfaces terse | grep irb

# Verify MAC address table
show ethernet-switching table vlan VLAN_CORPORATE

17.7.2 Common Issues and Resolution Steps

IssueDescriptionResolution
VLAN MismatchAn access port is configured for VLAN X, but the connected device expects VLAN Y, or a trunk port’s allowed VLANs don’t match.Check show vlan brief, show interfaces switchport (Cisco) or show vlans, show interfaces extensive (Juniper). Ensure VLAN IDs match on both ends of a link and devices are in the correct VLAN.
Native VLAN MismatchTrunk ports on connected switches have different native VLAN IDs. Untagged traffic may be misdirected.Check show interfaces trunk (Cisco) or show interfaces extensive for trunk ports (Juniper). Standardize native VLAN across all trunk links, preferably to an unused VLAN ID.
Trunking IssuesLink between switches or between switch and router/SD-WAN edge is not forming a trunk or only carrying partial VLANs.Verify switchport mode trunk and switchport trunk allowed vlan (Cisco) or port-mode trunk and vlan members (Juniper). Ensure trunk encapsulation dot1q is explicitly set on Cisco. Check physical connectivity.
Inter-VLAN Routing FailureDevices in different VLANs cannot communicate, even if VLANs are up.Check SVI/IRB interface status and IP addressing (show ip interface brief, show interfaces irb). Verify routing table on the L3 device (show ip route, show route). Check for ACLs or firewall policies blocking traffic.
STP Blocking/LoopsSpanning Tree Protocol incorrectly blocks a port required for traffic or forms a loop, causing outages.Check show spanning-tree vlan X (Cisco). Ensure consistent STP configurations across devices. Use BPDU guard on access ports and root guard on trunk ports to protect the STP topology.
VLAN Hopping AttackUnauthorized access to a different VLAN.Review security best practices: disable DTP, use an unused native VLAN, shut down unused ports, enable port security, implement ACLs. Check logs for suspicious activity.
Duplex/Speed MismatchPhysical layer issue leading to slow performance or errors.Check show interfaces (Cisco) or show interfaces extensive (Juniper) for errors, input/output drops, and duplex/speed settings. Ensure consistent auto-negotiation or hard-set values.

17.7.3 Root Cause Analysis

When troubleshooting, follow a systematic approach:

  1. Layer 1 (Physical): Check cables, link lights, speed/duplex settings.
  2. Layer 2 (Data Link - VLANs): Verify VLAN existence, port assignments (access/trunk), native VLAN. Check MAC address tables. Look for STP issues.
  3. Layer 3 (Network - IP): Verify SVI/IRB IP addresses, subnet masks, default gateways. Check routing tables. Ping between devices in the same VLAN, then different VLANs.
  4. Layer 4-7 (Application): Check firewall policies, DNS, application-specific configurations.

17.8 Performance Optimization

Optimizing VLAN performance ensures efficient traffic flow and resource utilization in branch offices.

  • VLAN Pruning: Prevents unnecessary broadcast, unknown unicast, and multicast traffic from being sent over trunk links to switches that don’t have active ports for those VLANs.
    • Benefit: Reduces bandwidth consumption and CPU utilization on switches.
    • Implementation: Configure switchport trunk allowed vlan explicitly on Cisco. VTP pruning can automate this, but explicit configuration is generally preferred for control and security. Juniper trunks only forward VLANs that are explicitly vlan members.
  • Broadcast Domain Reduction: Smaller VLANs mean smaller broadcast domains, reducing the impact of broadcast storms and ARP floods.
    • Benefit: Improves network efficiency and resilience.
    • Implementation: Design VLANs granularly, avoiding excessively large VLANs.
  • QoS Integration: Ensure critical applications (VoIP, video conferencing) receive prioritized treatment.
    • Benefit: Guarantees performance for business-critical traffic over the WAN.
    • Implementation: Leverage 802.1Q PCP bits (Layer 2 QoS) and IP Differentiated Services Code Point (DSCP) (Layer 3 QoS) markings. Apply QoS policies at VLAN ingress and egress points, especially on the SD-WAN edge device before traffic enters the tunnel.
  • Link Aggregation (LAG/EtherChannel): Bundle multiple physical links into a single logical link for increased bandwidth and redundancy on trunk connections.
    • Benefit: Provides higher throughput and fault tolerance for key inter-switch or switch-to-router connections.
    • Implementation: Configure LACP or PAgP on member interfaces of the trunk.

17.9 Hands-On Lab

Lab Topology:

nwdiag {
  network SDWAN_WAN {
    address = "Internet/MPLS"
    color = "#FFDDDD"
    description = "SD-WAN Overlay"
    Cisco_SDWAN_Edge;
    Cloud_Hub [shape=cloud];
  }

  network BRANCH_LAN {
    address = "10.10.0.0/16"
    color = "#DDEEFF"
    description = "Branch Local Network"
    Cisco_SDWAN_Edge [address = "10.10.99.1/24"];
    Branch_L2_Switch;
  }

  network CORPORATE {
    address = "10.10.10.0/24"
    color = "#CCFFCC"
    description = "VLAN 10"
    Branch_L2_Switch;
    Corporate_PC [address = "10.10.10.10"];
    Corporate_Server [address = "10.10.10.20"];
  }

  network GUEST {
    address = "10.10.20.0/24"
    color = "#FFCCCC"
    description = "VLAN 20"
    Branch_L2_Switch;
    Guest_AP [address = "10.10.20.5"];
  }

  network VOICE {
    address = "10.10.30.0/24"
    color = "#CCE0FF"
    description = "VLAN 30"
    Branch_L2_Switch;
    IP_Phone [address = "10.10.30.15"];
  }

  Cloud_Hub -- Cisco_SDWAN_Edge : SD-WAN Tunnels;
  Cisco_SDWAN_Edge -- Branch_L2_Switch : Trunk Link;
  Branch_L2_Switch -- Corporate_PC;
  Branch_L2_Switch -- Corporate_Server;
  Branch_L2_Switch -- Guest_AP;
  Branch_L2_Switch -- IP_Phone;
}

Objectives:

  1. Configure VLANs 10, 20, 30, and 999 (blackhole) on both the Cisco SD-WAN Edge (acting as L3) and the Branch L2 Switch.
  2. Configure a trunk link between the SD-WAN Edge and the Branch L2 Switch, ensuring all required VLANs are allowed and VLAN 100 is the native VLAN.
  3. Configure access ports on the Branch L2 Switch for Corporate PC (VLAN 10), Guest AP (VLAN 20), and IP Phone (Voice VLAN 30, Data VLAN 10).
  4. Configure SVIs on the Cisco SD-WAN Edge for inter-VLAN routing (VLAN 10, 20, 30).
  5. Implement security best practices (port security, shutdown unused ports, non-default native VLAN).
  6. Verify VLAN configuration and inter-VLAN connectivity.

Step-by-Step Configuration (Cisco IOS XE for SD-WAN Edge, Cisco IOS for L2 Switch):

Part 1: Cisco SD-WAN Edge (Acting as L3 Router/Switch)

! Cisco SD-WAN Edge (L3 Device) Configuration
hostname SDWAN-Edge-BR1

! Global VLANs
vlan 10
 name CORPORATE_DATA
vlan 20
 name GUEST_WIFI
vlan 30
 name VOICE_VOIP
vlan 100
 name NATIVE_TRUNK_UNUSED
vlan 999
 name BLACKHOLE_UNUSED
!

! Interface for Trunk to Branch L2 Switch
interface GigabitEthernet0/1
 description "Trunk to Branch L2 Switch"
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 100
 switchport trunk allowed vlan 10,20,30,100
 speed auto
 duplex auto
 no shutdown
!

! SVIs for Inter-VLAN Routing
interface Vlan10
 description "Corporate Data VLAN SVI"
 ip address 10.10.10.1 255.255.255.0
 no shutdown
!
interface Vlan20
 description "Guest Wi-Fi VLAN SVI"
 ip address 10.10.20.1 255.255.255.0
 no shutdown
!
interface Vlan30
 description "Voice/VoIP VLAN SVI"
 ip address 10.10.30.1 255.255.255.0
 no shutdown
!

! Management/WAN interface (placeholder)
interface GigabitEthernet0/0
 description "WAN Interface to SD-WAN Overlay"
 ip address 192.168.1.10 255.255.255.0
 no shutdown
!

Part 2: Branch L2 Switch Configuration

! Branch L2 Switch Configuration
hostname Branch-L2-SW1

! Global VLANs
vlan 10
 name CORPORATE_DATA
vlan 20
 name GUEST_WIFI
vlan 30
 name VOICE_VOIP
vlan 100
 name NATIVE_TRUNK_UNUSED
vlan 999
 name BLACKHOLE_UNUSED
!

! Interface for Trunk to SD-WAN Edge
interface GigabitEthernet0/1
 description "Trunk to SDWAN Edge"
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 100
 switchport trunk allowed vlan 10,20,30,100
 speed auto
 duplex auto
 no shutdown
!

! Access Port for Corporate PC
interface GigabitEthernet0/2
 description "Corporate PC"
 switchport mode access
 switchport access vlan 10
 switchport port-security maximum 2 # PC and potential softphone via PC
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 speed auto
 duplex auto
 no shutdown
!

! Access Port for Guest AP
interface GigabitEthernet0/3
 description "Guest Wi-Fi AP"
 switchport mode access
 switchport access vlan 20
 speed auto
 duplex auto
 no shutdown
!

! Access Port for IP Phone (with PC pass-through)
interface GigabitEthernet0/4
 description "IP Phone and PC"
 switchport mode access
 switchport access vlan 10
 switchport voice vlan 30
 speed auto
 duplex auto
 no shutdown
!

! Security: Shut down unused ports and assign to blackhole VLAN
interface range GigabitEthernet0/5 - 0/24
 switchport mode access
 switchport access vlan 999
 shutdown
!

! Management interface (optional, if local management required)
interface Vlan999
 ip address 10.10.999.10 255.255.255.0
 no shutdown
!

Verification Steps:

  1. On both devices:
    • show vlan brief (Verify VLANs 10, 20, 30, 100, 999 exist)
    • show interfaces trunk (Verify trunk on Gi0/1, native VLAN 100, allowed VLANs 10,20,30,100)
  2. On Branch L2 Switch:
    • show interfaces GigabitEthernet0/2 switchport (Verify access vlan 10, port-security)
    • show interfaces GigabitEthernet0/3 switchport (Verify access vlan 20)
    • show interfaces GigabitEthernet0/4 switchport (Verify access vlan 10, voice vlan 30)
    • show interfaces status (Verify Gi0/5-24 are down and vlan 999)
  3. On SD-WAN Edge:
    • show ip interface brief (Verify SVIs Vlan10, Vlan20, Vlan30 have correct IP addresses and are up)
  4. Connectivity Testing:
    • From a Corporate PC (connected to Gi0/2 on L2 switch), ping 10.10.10.1 (SD-WAN Edge SVI).
    • From a Guest Client (connected via Guest AP on Gi0/3), ping 10.10.20.1 (SD-WAN Edge SVI).
    • From a device in VLAN 10, ping a device in VLAN 20 (e.g., Guest AP’s IP). This should succeed if routing is enabled and no ACLs are blocking it.
    • Ping between a Corporate PC and an IP Phone (if both in VLAN 10 data, and phone in VLAN 30 voice).

Challenge Exercises:

  1. Add a new VLAN (e.g., VLAN 40 for IoT devices) and configure an access port on the L2 switch.
  2. Implement an ACL on the SD-WAN Edge to block Guest Wi-Fi (VLAN 20) from accessing the Corporate Data (VLAN 10) network, but allow internet access for Guest.
  3. Explore the configuration of 802.1x authentication on a corporate access port to enhance security.

17.10 Best Practices Checklist

[x] VLAN Planning: Document VLAN IDs, names, and IP subnets. [x] Native VLAN: Use an unused VLAN ID for the native VLAN on trunks. Never use VLAN 1. [x] VLAN 1 Avoidance: Move all user data and management traffic off VLAN 1. [x] Unused Ports: Assign unused ports to a “blackhole” VLAN (e.g., VLAN 999) and shut them down. [x] DTP Disablement: Disable DTP on all access ports (switchport mode access) and explicitly configure trunks (switchport mode trunk). [x] VLAN Pruning: Limit allowed VLANs on trunk ports to only those required. [x] Security ACLs: Implement explicit ACLs or firewall policies for inter-VLAN traffic control. [x] Port Security: Enable port security on access ports. [x] QoS Integration: Prioritize critical traffic (e.g., voice) using 802.1Q PCP and IP DSCP. [x] Documentation: Keep accurate records of VLAN assignments, IP schemes, and switch configurations. [x] Automation: Leverage network automation tools (Ansible, Python) for consistent deployments. [x] Monitoring: Monitor VLAN utilization, errors, and security events.

17.12 What’s Next

This chapter has provided a deep dive into integrating VLANs within SD-WAN and branch office environments, from foundational concepts to practical configuration, automation, security, and troubleshooting. You’ve learned how VLANs enable crucial segmentation and policy enforcement in modern distributed networks.

Building on this understanding, the next chapter will explore advanced routing protocols within SD-WAN contexts, focusing on how dynamic routing protocols (like OSPF and BGP) interact with SD-WAN overlays and how routing policies can be centrally managed to steer traffic efficiently across the hybrid WAN. You’ll also delve into the specifics of route redistribution and path selection within complex SD-WAN topologies.