(+48) 12 294 00 01
registration of the project
our brands
salumanus plus
PL
EN
Knowledge Zone
Introduction to VLANs - one network or multiple networks?

Introduction to VLANs - one network or multiple networks?

Often, due to the different nature of the implemented network tasks (office, laboratory), a different configuration of the network itself is required.

The natural solution seems to be the construction of several separate networks based on independent devices. Of course, this is possible, and sometimes necessary. Is this the only solution? They come to the rescue manageable switchesthat allow you to configure multiple logical networks.

Virtual Local Area Networks Virtual Local Area Networks (VLANs) allow you to divide a larger physical computer network into logical, isolated segments. This division is implemented at the level of the second layer of the network in the ISO/OSI model. VLAN technology is described in the 802.1Q standard.

VLANs are used, among others, for:

  • segmentation networks,
  • Isolation users from each other,
  • Separation different types of movement.

The following figure shows the idea of a VLAN. On the SW switch, which allows you to configure VLANs, a logical division of the network is performed, which visually corresponds to the configuration of the network on two independent switches (SW1 and SW2).

Only devices belonging to the same VLAN can communicate with each other, since each VLAN creates independent broadcasting domain. One VLAN is equal to one broadcast domain, so any traffic flowing within one VLAN (unicast, multicast, broadcast) will not be visible in the other VLANs.

In addition to isolating network segments, this approach also allows reduce flooding of switch ports ARP and DHCP broadcasts that never cross VLAN boundaries. For each VLAN, the switch creates a separate array of physical addresses of the devices.

VLAN configuration is performed on Layer Two (L2) network switches. Very generally speaking, it consists of creating a “vlan” object on the switch and assigning specific physical ports of the switch to it. In this way, on a single physical switch (or multiple network switches regardless of their location), you can create local area networks isolated from each other.

Marking frames belonging to the VLAN

In a situation where the switch supports traffic to several logical networks, must receive information to which network the traffic should be directed.

Depending on the type of port that has been defined, the switch adds, does not add or remove the so-called VLAN Tag in an Ethernet frame (a frame is the smallest portion of data transmission on an ethernet network that has specific fields to handle transmission, and transmits the appropriate data, such as fragments of a movie file, in the Data field).

The VLAN Tag allows the switch to “find” the VLAN and thus the end device (workstation, printer) to which the data is to be delivered (transferred in the Ethernet Frame Data field with the specified VLAN ID).

VLAN Tag jest located in the Ethernet frame between the source address and the type/length field. It consists of 4 bytes, which include:

  • Tag Protocol Identifier (TPID) — allows you to distinguish between untagged, singly tagged and double-tagged frames;
  • Priorità — bits intended to define the quality priorities of the transmitted transmission;
  • Drop Eligible Indicator (DEI) — the bit used together with the Priority bits is used to designate frames that can be discarded if the total bandwidth on the link is used;
  • VLAN ID — 12 bits defining the number of the transferred VLAN. Allows you to define 4094 VLANs for use in the network (from 1 to 4094). VLANs 0 and 4095 are reserved and cannot be used.

Adding a 4-byte tag to an Ethernet frame changes the maximum frame size from 1518 to 1522 bytes. On trunk or hybrid ports, sent frames are marked with a VLAN Tag according to the VLAN number (VLAN ID) from which they originate.

On access ports, the frames sent are always untagged (they do not contain a VLAN Tag). It is possible to add a second tag to the frame - such a frame is called double-tagged, but about this in the next article.

Ports on the switch

The concept of “port type” on the switch has already been introduced earlier. What does this mean if physically all the sockets look identical? We can say that the type of port depends on the type of traffic that is handled by it. This term seems quite intuitive, because we divide the ports into:

  • Acceso
  • Trunk
  • Hybrids

Access port (often called access) — is used to connect end devices and is a port assigned to a specific VLAN. Traffic sent on this port is untagged (the frame does not have a VLAN Tag). Only traffic from the defined VLAN is sent. Traffic entering this port is routed to the defined VLAN to which the port has been assigned.

Port-Trunk — is used to connect switches to each other (and switches to routers) and transfer multiple VLANs on a single link. In order to be able to transmit multiple data streams on a single link, all frames in the trunk link from multiple VLANs contain corresponding VLAN tags with different VLAN IDs. One VLAN, referred to as the native VLAN, is transmitted over the trunk as untagged. Traffic entering this port is interpreted based on the VLAN tag assigned by the device on the other side. If untagged traffic enters the trunk port, it is routed to the set native VLAN.

Ports Hybrids — combines the features of access and trunk ports, allows you to send both tagged and untagged VLANs other than the native VLAN on a single link.

When describing the types of ports, there is a definition Native VLAN (the native VLAN). This is an additional VLAN defined on the trunk and hybrid link. Outbound traffic, if it belongs to the native VLAN, is sent untagged on the trunk and hybrid link.

Untagged traffic The input to the trunk or hybrid port goes directly to the native VLAN. It is important that we set the native VLAN separately on both sides of the link. For correct traffic handling, you need to set the same VLAN number on both sides.

Sample VLAN configuration (N — means untagged traffic, 33, 100, 200 — sample VLANs)
Practical applications

VLAN technology offers many configuration possibilities. To The most common uses we can include:

  • Logical network organization Computers that are supposed to work on a single network can be physically connected to different switches.
  • Network segmentation Isolating traffic between VLANs, e.g. computers in an office network should not have access to the network used for software production and testing or machine control.
  • Easier implementation of “Quality of Service” — prioritization of network services — a dedicated VLAN can handle traffic that requires higher priority, e.g. only traffic from VoIP telephony.
  • Security and permissions management - users with different permissions can be separated from each other - a separate VLAN for the Wi-Fi network shared with guests, a separate network for managing and configuring devices; separate access control lists can be created for different VLANs.

Currently, in the design of larger networks, functionality is used as a basic principle of organization and operation and taking care of security division of the network into VLANs.

These opportunities are available to most Layer 2 network switches. From the above, good practices arise for the logical separation of both end users of the network.

Also from the point of view of network management and implementation of security policies, Layer Two manageable switch functionalities give administrators much more opportunities.