This tutorial will take a practical approach to explaining VLANs. It will focus on the two primary functions of VLANs, and wrap up with an explanation of the Native VLAN concept. At the end, there's a two-question quiz to test your understanding. If you can answer both questions correctly, you'll have grasped the VLAN concept. Configuration of VLANs will be covered in a separate tutorial.
The Two Primary Functions of VLANs
Take the following example a network with three separate physical switches. Switches enable communications within networks, while routers manage communications between networks.
Each switch operates independently, performing all the standard functions of a switch.
If each switch has 24 ports, but only two are in use, that leaves 22 unused ports on each switch. Now imagine you need to replicate this network elsewhere but don't have three physical switches available. This is where VLANs provide their first major benefit: they allow you to divide a single physical switch into multiple smaller, virtual switches (logically).
Dividing a Physical Switch into Multiple Virtual Switches
In the example below, each circle on the switch represents a mini-switch, or virtual switch. These mini-switches are groupings of switchports that function independently from one another - just as f they were separate physical switches.
In this setup, network traffic flows through the single switch in the same way it would through three distinct physical switches, with routers configured identically in both cases.
Each virtual switch (VLAN) is assigned to a specific number for each switchport. For instance, two ports in the red mini-switch might be assigned to VLAN #10, two ports in the orange mini-switch to VLAN #20, and two ports in the blue mini-switch to VLAN #30.
Any switchport not explicitly assigned a VLAN number belongs to the default VLAN, which is usually VLAN 1 for most vendors, and assigned by default.
When network traffic arrives on a switchport assigned to a specific VLAN, it will only be forwarded to another port within the same VLAN. A switch will never allow traffic to cross from one VLAN to another directly, unless explicitly defined to do so. Just like separate physical switches, VLANs are isolated from each other.
In the initial illustration, network traffic from the red switch cannot reach the orange switch without first passing through a router. Similarly, in the second illustration, traffic in VLAN #10 cannot reach VLAN #20 without routing through a router.
When a frame enters a switchport in VLAN #10, it can only exit through another port in VLAN #10. Even though we can observe the frame moving through different VLANs, the switch sees each instance of the frame as independent: arriving on one port within a VLAN and exiting another port within the same VLAN.
VLANs and MAC Address Tables
A switch is designed to facilitate data movement within IP networks, and one of its key components is the MAC Address Table. This table maps MAC addresses to specific switchports, allowing the switch to know where to send traffic. A basic entry in a MAC address table might look like this:
MAC Address | Port
When a switch supports VLANs, it adds another layer to this table by including the VLAN number for each entry. A VLAN-aware MAC address table entry would look like this:
VLAN# | MAC Address | Port
This additional VLAN information means that each VLAN behaves as though it has its own isolated MAC address table. For example, if Host A in VLAN #10 sends a frame to Host B, the switch will only forward the frame to ports within VLAN #10, even if Host B's MAC address is known to be associated with VLAN #30. Each VLAN is treated as a separate network.
Assigning different switchports to different VLANs enables the use of a single physical switch for multiple, distinct network segments. This is the first major function of VLANs: they allow one physical switch to act like multiple virtual switches.
Extending Virtual Switches Across Multiple Physical Switches
But VLANs offer more than just internal network segmentation. Their second major function is to allow virtual switches (VLANs) to span across multiple physical switches, creating a seamless extended network between devices on the same VLAN, even when they are connected to different physical switches.
To illustrate, let's add an extra physical switch and more hosts to the original topology:
Notice how VLAN #10 and VLAN #30 have been extended to a second switch. This allows Host A and Host C to coexist within the same VLAN, even though they are connected to different physical switches that could be located in entirely different areas.
The key advantage of extending a VLAN across multiple physical switches is that the Layer 2 topology becomes independent of the physical layout. A VLAN can span across different rooms, floors, or even buildings, creating a unified network segment.
In this example, each connected switchport is part of only one VLAN. Such ports are referred to as Access ports - a switchport that belongs to a single VLAN. When configuring a port as an Access port, the administrator assigns it to a specific VLAN. Any network traffic arriving at an Access port is automatically placed in that configured VLAN.
Scaling VLANs Across Switches
To extend a VLAN to another switch, you could simply connect an Access port on each switch for every VLAN. While this method works, it is not scalable. Imagine a network with ten VLANs - on a 24-port switch, nearly half the ports would be consumed by inter-switch connections. This quickly becomes inefficient.
To solve this, there's a more efficient method: Trunk ports. A Trunk port is a switchport that can carry network traffic for multiple VLANs simultaneously. Instead of dedicating a separate Access port for each VLAN, a Trunk port can handle traffic from all VLANs, optimizing port usage and making it easier to scale the network across multiple switches.
By using Trunk ports, we can reduce the number of switchports needed for the topology, leaving more available ports for future network expansion.
This updated physical topology functions the same way as the previous setup but requires far fewer switchports. In fact, we've used only four Trunk ports across both switches to replace the eight Access ports that were needed in the earlier example.
Generally, switchports connected to end-user devices like workstations, printers, or servers are configured as Access ports, as these devices typically only need to be a part of a single VLAN. In contrast, switchports that connect to other network devices, such as switches or routers, are typically configured as Trunk ports because they need to carry network traffic for multiple VLANs at once. The reason behind this distinction will be explained later in the tutorial.
Tagged and Untagged Ports
A Trunk port can carry network traffic destined for multiple VLANs. For instance, in the earlier example, the connection between the two switches is carrying network traffic destined for both VLAN #10 and VLAN #30.
However, since the network traffic consists of a series of frames, how does the receiving switch know which frames belong to VLAN #10 and which belong to VLAN #30?
To solve this, whenever a switch sends frames through a Trunk port, it tags each frame with a VLAN identifier. This tag tells the receiving switch which VLAN the network traffic belongs to, allowing it to correctly route the frames to the appropriate VLAN.
In contrast, an Access port only carries network traffic destined for a single VLAN. Since there's no ambiguity about the VLAN assignment, there's no need to add a tag to frames sent from an Access port. The network traffic is implicitly associated with the VLAN assigned to that specific port.
This differentiation - tagged traffic for Trunk ports and untagged traffic for Access ports - ensures that switches can efficiently handle network traffic destined for multiple VLANs without confusion.
Since VLANs operate at Layer 2, the VLAN tag is embedded within the Layer 2 (Ethernet) header. In modern Ethernet networks, the standard header consists of three main fields:
1. Destination MAC Address
2. Source MAC Address
3. Type
When a frame exits through a Trunk port, the switch inserts a VLAN Tag between the Source MAC Address and the Type fields. This tag identifies which VLAN the frame belongs to, ensuring that the receiving switch knows how to handle the incoming network traffic and which VLAN to associate it with.
Final Topology Overview
To summarize, the final network topology, where network traffic flows between Host C and Host D, would include both Access ports and Trunk ports:
- Access ports will handle untagged traffic between end devices (e.g. Host C and Host D), since these ports belong to only one VLAN.
- Trunk ports will carry tagged traffic between switches, allowing multiple VLANs to share the same physical connection.
The insertion of VLAN tags on Trunk ports enables the seamless flow of VLAN network traffic across multiple switches while maintaining VLAN boundaries and proper routing within the network.
The physical topology described above functions identically to the logical topology shown below. The hosts - such as Host C and Host D - are unaware of the number of physical switches (whether two, three, or more) or the VLAN configurations in place. Form their perspective, they operate as if they are simply transmitting and receiving packets within the network, without any knowledge of the underlying VLAN structure or the multiple switches involved.
This abstraction is a key feature of VLANs, allowing the physical network architecture to be decoupled from the logical network operation. The hosts continue to communicate as they normally would, without needing to know about the VLAN tagging, trunking, or the specific paths their data takes through the switches.
Access Ports and End-Host Devices
Earlier, we discussed how Access ports are typically connected to end-host devices like workstations, printers, and servers. A key reason for this is that switches do not add VLAN tags to network traffic when sending it out through an Access port.
This design allows hosts to operate without needing to be aware of the VLAN they are connected to. Essentially, hosts are intentionally kept "blind: to the presence and use of VLANs. From the host's perspective, they simply send and receive data as if they are connected to any typical network - without concern for VLAN tagging or switching.
In the early days of networking, some end-devices would malfunction if they received a frame with a VLAN tag. These devices, expecting only the standard Ethernet header, would interpret the VLAN tag as a malformed header; however, this was rare, as VLAN tags were designed to minimize the chance of being misinterpreted in this way (this will be explained more in the next section).
Even though these compatibility issues were uncommon, the best practice is to avoid sending VLAN-tagged traffic to end-hosts. Hosts should remain unaware of VLANs in use, which helps to maintain simplicity and compatibility across the network.
Exceptions: Hypervisors and Virtual Machines
One exception to this rule is when a single physical host is hosting multiple Virtual Machines (VMs), such as in a Hypervisor environment. In cases where each VM needs to exist in its own VLAN, the physical host must be connected to a Trunk port. This allows the host to send and receive VLAN-tagged traffic, ensuring that the network traffic from each VM is confined to the appropriate VLAN. This is an important scenario where VLAN awareness becomes necessary at the host level, but only for networked virtualization setups.
Terminology
It's important to note that the terms Access port and Trunk port are primarily used in the Cisco ecosystem. Since VLANs are an open standard, other vendors also implement VLANs but may use different terminology for these concepts.
- What Cisco refers to as a Trunk port (a switchport that carries traffic destined for multiple VLANs), other vendors often call a Tagged port. This term highlights the fact that VLAN tags are added to traffic leaving the port.
- Similarly, what Cisco calls an Access port (a switchport that carries traffic destined for a single VLAN), other vendors may refer to as an Untagged port, emphasizing that no VLAN tag is added to the traffic leaving the port.
While these terms may vary by vendor (and some vendors may even mix and match terminology), the underlying concepts remain the same. Whether it's called a Trunk or Tagged port, or an Access or Untagged port, the behaviors and functionalities follow the same VLAN principles.
802.1Q VLAN Tag
VLAN tagging requires modifying Ethernet frames by adding or removing bits that identify the associated VLAN. The structure of these bits is defined by the 802.1Q standard, an open IEEE standard that governs VLAN tagging across all devices, regardless of vendor.
The 802.1Q VLAN tag adds specific information to the Ethernet frame to indicate its VLAN membership. This is the most widely used VLAN tagging method today.
To illustrate how VLAN tagging alters a packet, consider the packet capture below. It shows the same frame before and after it passes through a Trunk port, where the 802.1Q tag is inserted, allowing switches to handle the frame appropriately based on its VLAN assignment.
In the frame capture, the portion highlighted in yellow represents the VLAN tag. As previously mentioned, this tag is inserted between the Source MAC address and the Type field within the Ethernet header. This VLAN tag enables switches to route the traffic according to the correct VLAN.
You can explore this capture yourself using Cloudshark or by downloading the capture file to open it in Wireshark.
While the addition or removal of the VLAN tag does not alter the frame's payload, the slight modification to the header means that the CRC (Cyclic Redundancy Check) must be recalculated. The CRC is a hash algorithm used to detect transmission errors, and adding or removing the VLAN tag requires recalculating this checksum to ensure data integrity.
ISL vs. 802.1Q
There is an older VLAN tagging method called Inter-Switch Link (ISL), which was a Cisco proprietary technology. ISL encapsulated the entire Layer 2 frame in a new header, which contained the VLAN identification umber. Unlike the lightweight tag used in 802.1Q, ISL added a full encapsulation header around the frame.
However, ISL is now obsolete. Even newer Cisco devices no longer support it, as the networking industry has widely adopted the 802.1Q standard due to its openness and efficiency. 802.1Q is now the de facto method for VLAN tagging across all vendor products.
Native VLAN
The Native VLAN is a critical concept related to how switches handle traffic on Trunk ports, particularly when dealing with untagged traffic. It addresses the question of how a switch processes frames that arrive on a Trunk port without a VLAN tag.
When a switch receives untagged traffic on a Trunk port, it cannot determine the associated VLAN since no tag is present. In such cases, the switch assigns the untagged traffic to the Native VLAN. Essentially, this means that any untagged traffic received on a Trunk port is automatically associated with the configured Native VLAN.
Moreover, any traffic that the switch forwards out of a Trunk port, which belongs to the Native VLAN, is sent without a VLAN tag. This characteristic allows for untagged traffic to traverse the network without requiring additional tagging.
Configuration and Importance
The Native VLAN can be configured on any Trunk port. If no specific Native VLAN is designated, the default setting is VLAN #1.
It's crucial that both ends of a Trunk port are configured with the same Native VLAN. Mismatched Native VLAN configurations can lead to traffic being improperly tagged or dropped, causing connectivity issues. This illustration demonstrates why consistent Native VLAN settings on both sides of a Trunk port are essential for maintaining network integrity.
Recap
- Native VLAN: The VLAN associated with untagged traffic on a Trunk port.
- Untagged Traffic: Sent to the Native VLAN without a VLAN tag.
- Configuration: Must be consistent on both ends of a Trunk port to avoid connectivity issues.
In the scenario described, we have four hosts (A, B, C, and D) connected to Access ports configured for VLAN #22 or VLAN #33, with Switch X and Switch Y connected via a Trunk port.
Host Communication Scenario
1. Host A to Host C Communication:
- When Host A attempts to send a frame to Host C, the frame arrives at Switch X.
- Switch X recognizes the traffic as belonging to VLAN #22.
2. Trunk Port Forwarding:
- As the frame is forwarded out of Switch X's Trunk port, no VLAN tag is added because the Native VLAN for the Trunk port on Switch X is also VLAN #22.
3. Switch Y Processing:
- When the untagged frame reaches Switch Y, it cannot identify the VLAN since the frame lacks a tag. Instead, Switch Y associates the untagged traffic with its configured Native VLAN, which is VLAN #33.
- Because Switch Y does not allow traffic from VLAN #33 to exit through a port associated with VLAN #22, Host C will not receive the frame intended for it.
4. Potential Flooding Issues:
- Due to the flooding behavior of switches, it is possible that Host D might inadvertently receive the traffic that was meant for Host C, leading to further confusion and potential data exposure.
Important Notes on Native VLAN
- The concept of the Native VLAN is specific to 802.1Q. In contrast, the older Inter-Switch Link (ISL) method dropped any untagged traffic arriving at a Trunk port, leading to potential loss of communications.
- Remember that the Native VLAN concept is relevant only for Trunk ports. Traffic that leaves or arrives at an Access port is always expected to be untagged, making the distinction between the two port types crucial for proper VLAN functionality.
To ensure seamless communications across switches, it's essential to configure matching Native VLANs on both ends of a Trunk port. In this case, had both Switch X and Switch Y been configured with the same Native VLAN, Host A's frame would have been correctly forwarded to Host C, maintaining the integrity of the VLAN structure.
VLAN Comprehension Challenge
To test your understanding of VLANs, consider the following questions based on the provided topology featuring five switches and twelve hosts. Each switchport is configured as either an Access port in the displayed VLAN or a Trunk port with the designated Native VLAN.
Challenge Questions
Question #1:
If Host 1, which is connected to Switch A's Access port configured for VLAN #10, attempts to communicate with Host 5 connected to Switch C's Access port configured for VLAN #20, what potential issues might arise due to the VLAN configurations?
Question #2:
What will happen to the untagged traffic sent from Host 2, which is connected to an Access port on Switch B configured for VLAN #30, when it is forwarded through the Trunk port to Switch D, where the Native VLAN is configured for VLAN #10?
Answer to Question #1
Answer to Question #2
Rate This Article
Thanks for reading: Virtual Local Area Network (VLAN) Tutorial, Sorry, my English is bad:)