Introduction to Virtual Local Area Network (VLAN)

In this article, we will talk about Virtual LANs (VLAN). Firstly, a LAN consists of devices connected together in an area such as a building, a school campus, or an office. These devices connected together are considered to be in the same broadcast domain. A broadcast domain includes the set of all LAN-connected devices, so that when any of the devices sends a broadcast frame (a frame with a destination MAC Address of FF:FF:FF:FF:FF:FF), all the other devices get a copy of the frame. By default, a switch considers all its ports to be in the same broadcast domain. This means that when a broadcast frame enters the switch through one of its switchports, it sends the frame out of all ports.

With this little explanation of what a LAN and a broadcast domain is, you can deduce that if you want to have two broadcast domains you should get two switches, if you need three broadcast domains, get three switches and so on.

By configuring VLANs on one switch, we can be able to achieve the goal in the image above. A VLAN logically divides a broadcast domain at Layer 2 (Datalink layer). This means that physically, the devices are connected to one switch, and they appear to be in the same broadcast domain but logically, they are in different broadcast domains.

In the image above, the switch has been configured with two VLANs VLAN100 and VLAN200. 100 and 200 are known as the VLAN ID, it is used to identify the VLAN a frame belongs to. There are a total of 2¹² (4096) VLANs but 0 and 4095 cannot be used. There are 2 types of VLANs, Normal and Extended VLANs. Normal VLANs ranges from 1–1005 and Extended VLANs ranges from 1006–4094. By default, a switch comes with VLAN 1, 1002, 1003, 1004, 1005 and these VLANs cannot be deleted.

Recall that by default a switch considers all its ports to be in the same broadcast domain but after configuration, the switch assigns ports F0/1 and F0/2 to VLAN100, and ports F0/3 and F0/4 to VLAN200. This means that if a broadcast frame enters through port F0/1, it will only be forwarded out port F0/2 since it is in the same broadcast domain as F0/1. This means that broadcast frames for a particular VLAN is only received by devices in that VLAN. For a port on a switch to be considered to be in a VLAN, it has to be configured to be an access port in that VLAN. There will be an article for VLAN configuration so you will understand this better. For now, just know that an access port is a switchport that belongs to a single VLAN and usually connects to end hosts.

We know that in a network, switches do not only connect to end devices, but they also sometime connect to other switches and with multiple switches, you have to consider additional concepts about how to forward traffic between the switches. There are two types of VLAN ports:

1. Access (untagged) ports: These are ports that connect to end devices. They are called untagged because the switch already knows the VLAN the port is assigned to so it doesn’t need to add a “Tag” (which I will explain soon).
2. Trunk (tagged) ports: These are ports that two or more VLANs can pass through. They are usually connected between switches or in some cases, a router. Before a switch sends a frame out of a trunk port, it adds a “Tag” to it. The switch treats the trunk port as if it were part of all the VLANs.

THE 802.1Q “TAG”

Imagine you just landed from a flight, and you go to claim your baggage and you see 4 suitcases identical to yours but since all suitcases have name tags on them, you were able to identify which is yours. The 802.1Q tag helps network devices identify and manage different parts of data as they travel through the network. It’s all about making sure each piece of information gets to where it needs to go, just like making sure your suitcase ends up in your hands and not someone else’s.

From the image above, we can see that the trunk port carries frames from VLAN 10 and VLAN 20 and adds a tag of the VLAN ID to each frame, informing other switches the VLAN a frame belongs to.

The 802.1Q tag lies in between the source MAC address field and the Type/Length field of the ethernet header.

Ethernet frame format with 802.1Q tag

The 802.1Q tag is 4 Bytes in size, the first 2 Bytes is known as Tag Protocol Identifier (TPID) and it indicates that the frame is 802.1Q tagged. The next 3 bits is known as the Priority Code Point (PCP) which is used for Class of Service (CoS) markings. The next 1 bit is known as Drop Eligible Identifier (DEI) and used to indicate frames that can be dropped if a network is congested. The last 12 bits is known as the VLAN ID which is used to identify the VLAN a frame belongs to. (Please note that the first 2 Bytes is known as the TPID and the second 2 Bytes is known as the TCI (Tag Control Information) which consists of the three fields PCP, DEI and VLAN ID).

802.1Q has a feature called native VLAN. Basically, the whole idea of the native VLAN is to carry untagged frames over a trunk port. This means that a frame that belong to the native VLAN are not tagged with 802.1Q and by default, VLAN 1 is the native VLAN, though the native VLAN can be manually configured on the trunk ports.

FORWARDING DATA BETWEEN VLANs

For devices in different VLANs to communicate with each other, there must be a means of forwarding data between them. We know that switches (layer 2 switches) only forward data at layer 2 level by looking at the destination MAC address and check for a match in its MAC address table and forward the frame out of the port. Devices in different VLANs can only communicate through a layer 3 device which is a router. A router’s interface can be configured to be the default gateway of a VLAN.

As we can see, the interface G0/0 of the router will be the default gateway of VLAN100 and interface G0/1 will be the default gateway of VLAN200. In this network, it is obvious that interface F0/5 of the switch will be an access port in VLAN100 and F0/6 of the switch will be an access port in VLAN200. Though this works, it is not advisable that you do this. Imagine if we have 50 VLANs, does a router have 50 interfaces? no.

The best way to forward data between VLANs using a router is by using a single interface of a router to route traffic between the VLANs. This is known as Router On A Stick (ROAS). One physical interface of the router is connected to a switch and can be logically divided in sub-interfaces.

Router On A Stick

In this network, sub-interfaces will be configured on the G0/0 interface of the router, those sub-interfaces will act as the default gateway for the various VLANS, meaning that the router will expect frames from VLANs 100 and 200. What type of port do you think the switch F0/5 will be configured as? If you said trunk port, then you are right. If you didn’t, just scroll up to where we talked about trunk ports and read about them again.

Another means of forwarding data between VLANS is by using a layer 3 switch and configuring SVIs (Switch Virtual Interfaces) on the switch. A Layer 3 switch has always been known for its Layer 2 and Layer 3 capabilities. An SVI for each VLAN can be configured on the switch and it will be the default gateway for each VLAN.

The VLANs will be configured on the Layer 3 switch also and the port between the switches will be a trunk port.

With this, we’ve come to the end of this article. It’s quite a lengthy one but believe me, this is just the surface. In the next article, we will go through the configurations of VLANS, ROAS and SVIs. Do have a great day and also, do well to reach out in the comment section. Bye!