Professional Documents
Culture Documents
Vlan Tutorial
Vlan Tutorial
Application Note
_____________________________________________________________
Version 3.0
May 2002
COMPAS ID 90947
Avaya Labs
Companion document
Introduction
As the name implies, the purpose of this presentation is to
provide a simplified tutorial on local area networks (LANs) and virtual
local area networks (VLANs).
The instructions and terminology used in this presentation attempt
to comply with industry practices and written standards. They represent
the generally accepted implementations of the written standards.
It is important to understand that written standards are sometimes
ambiguous, and are thus implemented differently among various
vendors. This tutorial seeks to balance between the two and does not
rely solely on written standards or specific implementations.
All IP addresses and numbering schemes in this tutorial are
hypothetical, and used for illustration purposes.
TCP/IP
Application
Host to Host
(TCP/UDP)
Internet (IP)
Network Interface
Note: Simple hubs have a single bus that is capable of operating at either 10Mbps or
100Mbps, but not both. These are pure L1 devices, no smarter than the original coax
Ethernet bus they replaced. The very common 10/100 hubs actually have two buses, a
10M bus and a 100M bus, which are bridged. This bridging function is a L2 function, so
technically speaking 10/100 hubs are not pure L1 devices.
An overview of LANs
All hosts are aware of their individual subnet and mask, and what that
implies.
9
1
1
1
2
All hosts on the LAN segment receive the ARP Request message, but
only Y recognizes the request as pertaining to its IP address.
The ARP Request message contains Xs MAC and IP addresses.
All hosts make an entry with this mapping in their respective ARP caches.
Entries in ARP caches are designed to time out, typically after a few
minutes. When this happens, the ARP process is repeated.
1
4
Back to LANs
1
5
Take the previous diagram and connect the two segments together to
make one physical LAN segment (not recommended).
Hosts on one subnet still could not communicate with hosts on the other
subnet because
Hosts are aware of their subnet and will only ARP for addresses in their
subnet. For example, 10.1.1.11 will not ARP for 10.1.2.11.
To get to hosts on another subnet, an IP gateway is required.
Now it should be more clear why a LAN segment typically has only one
associated IP subnet.
Why broadcast messages to hosts that dont need to see them?
In most cases it is preferable to maintain a 1-to-1 mapping of a L2
broadcast domain (physical LAN segment) to a L3 broadcast domain
(logical IP subnet).
Note: Having two different routers with different subnets on one LAN segment can
also cause serious problems with routing in rare configurations, which will not be
discussed in detail here.
1
8
What if we were to connect the two LAN segments together? (again, not
recommended, and might produce an error condition on the router)
Hosts on one subnet would still require the router to communicate with hosts
on the other subnet.
But now the broadcasts would leak from one subnet to the other, because
weve created one LAN segment.
We have one L2 broadcast domain (LAN segment) with two L3 broadcast
domains (IP subnet) :-(
2
0
Transition to VLANs
2
1
2
2
What was before two separate LAN segments is now two VLANs, and all
the same conditions apply.
Hosts on VLAN1 cannot communicate with hosts on VLAN2 without an IP
gateway. This would be true even if we physically connected the two VLANs
together with a cross-over cable.
Broadcasts on VLAN1 do not leak onto VLAN2, but they would if we were to
connect the two VLANs together with a cross-over cable.
What if we did connect the two VLANs together with a cross-over cable?
In effect, this results in one VLAN (one L2 broadcast domain) with two
subnets (two L3 broadcast domains), which is not desired.
No different than connecting two physical LAN segments together.
2
4
2
5
2
9
3
0
BUT...
A simple wiring error through the closets
could end up in this.
This is a technically valid configuration.
VLANs are local to the Ethernet switch and
do not have to match across switches.
But probably no one would intentionally do
something like this.
3
1
3
2
Terminology check
access port / link - 802.1Q terms to define a port with one or more
untagged VLANs, and a link connecting two such ports.
trunk port / link - 802.1Q term to define a port with multiple VLANs that
are all tagged, and a link connecting two such ports.
hybrid port / link - 802.1Q term to define a port with both untagged and
tagged VLANs, and a link connecting two such ports.
VID - 802.1Q acronym for VLAN ID
PVID - 802.1Q acronym for port VLAN ID
tagged frame - An Ethernet or 802.3 frame with the 802.1Q tag.
clear frame - An Ethernet or 802.3 frame with no tag.
VLAN trunking - a generic networking vernacular term to describe the
process of forwarding multiple VLANs across a single link, whether via
802.1Q or proprietary protocols like Ciscos ISL.
3
3
802.1Q tag
3
4
3
5
When one switch sends an Ethernet frame to the other, the transmitting
switch inserts the 802.1Q tag with the appropriate VID (with the exception
of the PVID/native VID in some cases).
The receiving switch reads the VID and forwards the Ethernet frame to
the appropriate VLAN.
3
6
3
7
Because the native VLAN is not tagged, the native VIDs do not have to
match. Both of the following scenarios are technically valid, but probably
no one would intentionally implement the second scenario.
3
8
In terms of ingress
An access port with just the port VLAN accepts clear frames and prioritytagged frames (frames with VID zero - discussed in the next slide).
An access port bound to multiple VLANs accepts clear frames or prioritytagged frames on the port VLAN, and VLAN-tagged frames on the other
VLANs.
A trunk port behaves exactly like an access port in terms of ingress traffic.
3
9
Although zero should be used, tagging with the PVID/native VID instead of
zero typically does not hinder operation. Some Cisco switches actually
require this because they dont understand VID zero.
Note: There is no null priority. Priority zero is a priority with value zero.
4
0
4
1
4
2
4
3
Pure speculation: The 802.1Q tag came after the Ethernet frame to facilitate VLAN
trunking and L2 priority tagging. The tag is not integrated into the Ethernet frame
but is added to it when necessary. As VLAN trunking and priority tagging become
commonplace with the proliferation of 802.1Q-capable NICs and network devices,
we may see the 802.1Q tag become integrated into the Ethernet frame.
4
4
4
5
Users connect to L2
switches.
These are access
switches that may
or may not be
VLAN-capable.
VLANs 2-5 are user VLANs for devices such as user PCs.
4
7
In the previous scenario the user VLANs traverse the access and
distribution switches, which results in broadcasts across the uplinks.
4
8
Conclusion
At first the Ethernet LAN was a shared coax bus (thick-net, thin-net).
The hub replaced the coax bus, but there were still collisions on the hub.
The switch replaced the hub and removed the collisions, but the switch
itself was one L2 broadcast domain.
Then smart L2 switches came along that could create multiple VLANs
(multiple L2 broadcast domains) on a single switch. IEEE 802.1Q is the
standard that brought this about.
The 802.1Q tag facilitates VLAN trunking between these switches.
At some point L3 (routing) functionality was added to these switches to
remove the need for an external router in many cases.
5
0