Thus, it seems natural to build several separate networks, based on independent devices. Of course this is possible and sometimes even necessary. But is this the only solution? Help comes in the form of managed switches that enable configuration of many logical networks.
A Virtual Local Area Network (VLAN) allows to divide a larger physical computer network into logical, isolated segments. This functionality is implemented in the second layer in the ISO/OSI model. VLAN technology has been described in the 802.1Q standard.VLANs are usually used for:
The picture below shows the idea of a VLAN. On the SW switch that allows for VLAN configuration, the network was splitted into two logical networks, which physically corresponds to network configuration on two independent switches (SW1 and SW2).
Only devices that belong to the same VLAN can communicate with each other because each VLAN determines an independent broadcast domain. One VLAN corresponds to one broadcast domain, so any kind of traffic within one VLAN (unicast, multicast, broadcast) is not visible in other VLANs.
Apart from network segments isolation, this approach also reduces the flooding of switch ports with packets from ARP and DHCP protocols that never cross VLAN boundaries. The switch creates a separate table of network physical addresses for each VLAN.
VLAN configuration is implemented on layer two network switches (L2). Generally speaking, it is realized by creating a "vlan" object on the switch and assigning specific physical switch ports to it. In this way, you can create isolated virtual local networks on one physical switch (or multiple network switches regardless of their location).
In a situation where a switch supports traffic to several logical networks, it must get the information to which network the traffic should be directed to.
Depending on the type of a port that has been defined, the switch adds, does not add or removes the so-called VLAN Tag in the Ethernet frame (the frame is the smallest portion of data transmission in an Ethernet network, which has specific fields to facilitate transmission, and the appropriate data, e.g. fragments of a file, e.g. a movie, is sent in the Data field).
A VLAN Tag is used by a switch to "find" a VLAN, and at the same time to find the end device (workstation, printer) to which the data is to be delivered (transferred in the Ethernet field Date with a specific VLAN ID).
A VLAN tag is placed in an Ethernet frame between the source address and the type/length field. It consists of 4 bytes, which include:
Adding an additional 4-byte tag to the Ethernet frame changes the maximum frame size from 1518 to 1522 bytes. On trunk or hybrid ports, the frames which are sent are marked with the VLAN Tag according to the VLAN number (VLAN ID) from which they originate.
On access ports, the frames are always sent untagged (they do not contain the VLAN Tag). It is possible to add a second tag to the frame - this frame is called double-tagged, but more on that topic you will find out in another article.
The term "port type" on a switch has already been introduced. What does this mean if physically all the sockets look identical?
Trying to explain it in one sentence, you can say that the type of a port depends on the type of traffic it handles. This definition seems to be quite intuitive because the ports are divided into:
Port Access - is used to connect endpoint devices and this is the port assigned to a specific VLAN. The traffic sent through this port is untagged (the frame has no VLAN Tag). Only the traffic from the defined VLAN is sent. The traffic entering this port is directed to the defined VLAN to which the port has been assigned.
Port Trunk – is used to connect switches with each other (and switches with routers) and to send multiple VLANs on a single link. To be able to send multiple data streams over one link, all frames from multiple VLANs in a trunk link contain the appropriate VLAN tags with different VLAN IDs. One VLAN, referred to as a native VLAN, is transmitted over a trunk link as untagged. The traffic entering this port is interpreted on the basis on the VLAN tag assigned by the device on the other side. If non-tagged traffic enters the trunk port, then it is directed to the defined native VLAN.
Port Hybrid - combines the features of access and trunk ports, allows you to send both tagged and untagged VLANs other than native VLANs over a single link.
Describing the types of ports, there appears the term native VLAN. This is an additional VLAN defined on the trunk and hybrid link. The outgoing traffic, if it belongs to the native VLAN, is sent untagged on the trunk and hybrid link. The untagged traffic entering the trunk or hybrid port goes directly to the native VLAN. It is important that we set the native VLAN separately on both sides of the link. For proper traffic handling, the same VLAN number should be set on both sides.
A sample VLAN configuration (N - means non-tagged traffic, 33, 100, 200 - sample VLAN numbers)
VLAN technology offers many configuration options. The most common applications are:
Nowadays, among the aspects that are taken into consideration when designing a network is the functionality of dividing networks into VLANs.
This is done for purpose of better organization, operation and security of entire network. These capabilities are available on most Layer 2 network switches. Such approach enables the deployment of good practices which enable a logical separation of both end-users and different types of network traffic.
Additionally, from the network management point of view and due to the implementation of security policies, the functionality of layer 2 managed switches give network administrators much more possibilities.
