When the number of network users and endpoint devices grows, we don't always want everyone to be able to communicate with each other without any restrictions. Additionally, due to the different nature of the tasks performed by users (office network, laboratory network), a different configuration of the network is required. Thus, it seems natural to build several separate networks, based on independent devices.
Of course this is possible and sometimes even necessary. But is this the only solution? Help comes in the form of managed switches that enable configuration of many logical networks.
A Virtual Local Area Network (VLAN) allows to divide a larger physical computer network into logical, isolated segments. This functionality is implemented in the second layer in the ISO/OSI model. VLAN technology has been described in the 802.1Q standard.
VLANs are usually used for:
- network segmentation,
- isolating users from each other,
- separating different types of traffic.
The picture below shows the idea of a VLAN. On the SW switch that allows for VLAN configuration, the network was splitted into two logical networks, which physically corresponds to network configuration on two independent switches (SW1 and SW2).
Only devices that belong to the same VLAN can communicate with each other because each VLAN determines an independent broadcast domain. One VLAN corresponds to one broadcast domain, so any kind of traffic within one VLAN (unicast, multicast, broadcast) is not visible in other VLANs.
Apart from network segments isolation, this approach also reduces the flooding of switch ports with packets from ARP and DHCP protocols that never cross VLAN boundaries. The switch creates a separate table of network physical addresses for each VLAN.
VLAN configuration is implemented on layer two network switches (L2). Generally speaking, it is realized by creating a "vlan" object on the switch and assigning specific physical switch ports to it. In this way, you can create isolated virtual local networks on one physical switch (or multiple network switches regardless of their location).
The marking of frames that belong to a VLAN
In a situation where a switch supports traffic to several logical networks, it must get the information to which network the traffic should be directed to.
Depending on the type of a port that has been defined, the switch adds, does not add or removes the so-called VLAN Tag in the Ethernet frame (the frame is the smallest portion of data transmission in an Ethernet network, which has specific fields to facilitate transmission, and the appropriate data, e.g. fragments of a file, e.g. a movie, is sent in the Data field).
A VLAN Tag is used by a switch to "find" a VLAN, and at the same time to find the end device (workstation, printer) to which the data is to be delivered (transferred in the Ethernet field Date with a specific VLAN ID).
A VLAN tag is placed in an Ethernet frame between the source address and the type/length field. It consists of 4 bytes, which include:
- Tag Protocol Identifier (TPID) – allows to distinguish between untagged, single tagged and double tagged frames;
- Priority – the bits that are dedicated for defining the quality priorities of the transmitted traffic;
- Drop Eligible Indicator (DEI) – a bit used together with Priority bits for marking frames that can be dropped if the total bandwidth is used,
- VLAN ID – 12 bits specifying the number of the transferred VLAN. It allows to define 4094 VLANs that can be used in the network (from 1 to 4094). VLANs 0 and 4095 are excluded and cannot be used.
Adding an additional 4-byte tag to the Ethernet frame changes the maximum frame size from 1518 to 1522 bytes.
On trunk or hybrid ports, the frames which are sent are marked with the VLAN Tag according to the VLAN number (VLAN ID) from which they originate. On access ports, the frames are always sent untagged (they do not contain the VLAN Tag). It is possible to add a second tag to the frame - this frame is called double-tagged, but more on that topic you will find out in another article.
Ports on a switch
The term "port type" on a switch has already been introduced. What does this mean if physically all the sockets look identical?
Trying to explain it in one sentence, you can say that the type of a port depends on the type of traffic it handles. This definition seems to be quite intuitive because the ports are divided into:
Port Access - is used to connect endpoint devices and this is the port assigned to a specific VLAN. The traffic sent through this port is untagged (the frame has no VLAN Tag). Only the traffic from the defined VLAN is sent. The traffic entering this port is directed to the defined VLAN to which the port has been assigned.
Port Trunk – is used to connect switches with each other (and switches with routers) and to send multiple VLANs on a single link. To be able to send multiple data streams over one link, all frames from multiple VLANs in a trunk link contain the appropriate VLAN tags with different VLAN IDs. One VLAN, referred to as a native VLAN, is transmitted over a trunk link as untagged. The traffic entering this port is interpreted on the basis on the VLAN tag assigned by the device on the other side. If non-tagged traffic enters the trunk port, then it is directed to the defined native VLAN.
Port Hybrid - combines the features of access and trunk ports, allows you to send both tagged and untagged VLANs other than native VLANs over a single link .
Describing the types of ports, there appears the term native VLAN. This is an additional VLAN defined on the trunk and hybrid link. The outgoing traffic, if it belongs to the native VLAN, is sent untagged on the trunk and hybrid link. The untagged traffic entering the trunk or hybrid port goes directly to the native VLAN. It is important that we set the native VLAN separately on both sides of the link. For proper traffic handling, the same VLAN number should be set on both sides.
A sample VLAN configuration (N - means non-tagged traffic, 33, 100, 200 - sample VLAN numbers)
VLAN technology offers many configuration options. The most common applications are:
- Logical network organization - computers that should work in one network can be physically connected to different switches,
- Network segmentation - isolating traffic between VLANs, e.g. computers in an office network should not have access to the network used for the production and testing of software or machine control.
- Easier "Quality of Service" implementation - prioritization of network services - a dedicated VLAN can handle the traffic that requires higher priority, e.g. only the traffic from VoIP telephony.
- Security and permission management - users with different privileges can be separated from one another - a separate VLAN for the guest Wi-Fi network, a separate network for managing and configuring devices. Separate access control lists can be created for different VLANs.