_____________________________________________________________ _____________________________________________________________

Application Note

LANs and VLANs

A Simplified Tutorial
Version 3.0 May 2002 COMPAS ID 90947

Avaya Labs

Companion document

IP Addressing: A Simplified Tutorial

COMPAS ID 92962

Introduction
As the name implies, the purpose of this presentation is to provide a simplified tutorial on local area networks (LANs) and virtual local area networks (VLANs). The instructions and terminology used in this presentation attempt to comply with industry practices and written standards. They represent the generally accepted implementations of the written standards. It is important to understand that written standards are sometimes ambiguous, and are thus implemented differently among various vendors. This tutorial seeks to balance between the two and does not rely solely on written standards or specific implementations. All IP addresses and numbering schemes in this tutorial are hypothetical, and used for illustration purposes.

First, the basics

OSI and TCP/IP

OSI Reference Model
7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

TCP/IP
Application Host to Host (TCP/UDP) Internet (IP) Network Interface

Terms used in this tutorial

router, subnet, IP address switch, VLAN, MAC address, Ethernet hub

This table is presented for reference purposes.

The first column shows the 7-layer OSI Reference Model, which is a model used to design protocols that make networking possible. The second column shows the TCP/IP protocol stack in reference to the OSI model. TCP/IP is the prevalent protocol stack for data networking. The third column shows the terms that will be used in this tutorial, in reference to both OSI and TCP/IP.

Hub (a collision domain)

A hub is a L1 (physical layer) multi-port repeater.
It receives a signal on one port, regenerates it, and transmits it out all ports. All devices connected to a hub receive any transmission on that hub, regardless of the intended recipient.
Note: Simple hubs have a single bus that is capable of operating at either 10Mbps or 100Mbps, but not both. These are pure L1 devices, no smarter than the original coax Ethernet bus they replaced. The very common 10/100 hubs actually have two buses, a 10M bus and a 100M bus, which are bridged. This bridging function is a L2 function, so technically speaking 10/100 hubs are not pure L1 devices.

Two or more devices on a hub cannot transmit at the same time.

When two or more devices simultaneously transmit, there is a collision. The devices must back off and re-transmit at dispersed intervals, so that only one device is transmitting at any given time.

Because of these characteristics, a hub (or a group of hubs connected together) is known as a collision domain. Hubs operate only at half duplex; attached devices cannot transmit and receive at the same time. Generally speaking, only four 10M hubs or two 100M hubs can be connected together.
6

Switch (a broadcast domain)

A switch is more than just a repeater. It is a L2 (data link layer) bridge, which means that it is aware of L2 MAC addresses.
MAC addresses and Ethernet frames will be discussed in more detail later.

A switch keeps track of which devices are connected to which ports by maintaining a table of the MAC-address-to-switch-port mapping.
Well simply call this the MAC table. It is populated by recording the source MAC addresses of incoming Ethernet frames on each port. MAC table entries are designed to time out, typically after a few minutes, if no other frame from the same source is not received on that port.

Transmissions on a switch are sent only to the intended recipients, determined by the destination MAC address.
The exception to this is if the destination MAC address is not already in the MAC table, in which case the Ethernet frame is transmitted out all ports.

Broadcasts are sent to all recipients, as they are intended to be. For this reason, a switch (or a group of switches connected together) is known as a broadcast domain. Switches can operate at full duplex; multiple attached devices can transmit and receive at the same time.
7

An overview of LANs

 A single hub or switch is a physical LAN segment.

Ethernet segment is more precise, but well use the general term.

An IP endpoint (PC, server, IP phone, etc.) is a host and has an IP address.

In this diagram the hub or switch itself is also a host, with an IP address.

A LAN segment typically contains one IP network or sub-network. There is a difference between the two, but the term subnet is generally used.
We will not address in detail the case of two or more subnets residing on one LAN segment, which is a valid but uncommon case.

This subnet is 10.1.1.0 with subnet mask 255.255.255.0, which implies

Host addresses are 10.1.1.1 through 10.1.1.254. Broadcast address is 10.1.1.255, which is the IP address used to transmit to all hosts on the subnet.

All hosts are aware of their individual subnet and mask, and what that implies.
9

 Two or more hubs or switches connected together still constitute one physical LAN segment. The only differences between this diagram and the previous are
Having two hubs or switches increases the port density. The up-link between the two devices may be a bottleneck. Note: It is not required that a hub or switch have an IP address. However, the device is very likely to have an IP address if it is remotely manageable (ie, configure, troubleshoot, view statistics, upgrade firmware, etc). Otherwise, the device must be managed via a console port or not at all.
1 0

 Now weve added a second LAN segment, which contains a different IP subnet. All hosts on the second subnet have addresses pertaining to that subnet. Hosts on one subnet cannot communicate with hosts on the other subnet.
The obvious reason is that the two LAN segments are physically separated. However

1 1

Break for an explanation of ARP

1 2

IP addresses and MAC addresses

An IP address is a 32-bit Network Layer (L3) address on the OSI model. It is configured on each IP host. A MAC address is a 48-bit Data Link Layer (L2) address on the OSI model. It is typically burned in to the network interface card or equivalent, and is a combination of the manufacturer ID and the board ID (serial number). An IP packet, with source and destination IP addresses, is encapsulated in an Ethernet frame, with source and destination MAC addresses. The Ethernet frame is then transmitted on the LAN segment.

On a LAN segment, hosts communicate with one another using MAC addresses, even though applications use IP addresses.
Therefore, each IP host must resolve the destination IP address to the destination MAC address before sending an IP packet. This is done using the Address Resolution Protocol (ARP).
1 3

How ARP works

Host X needs to send an IP packet to host Y but only knows Ys IP address. X sends an ARP Request message containing Ys IP address, which is broadcast to all the hosts on the LAN segment.
Remember that hosts communicate with each other using MAC addresses. This broadcast is a MAC broadcast, which means that the destination MAC address is a L2 broadcast address (all 48 address bits are ones). The source MAC address of this ARP Request message is Xs MAC address.

All hosts on the LAN segment receive the ARP Request message, but only Y recognizes the request as pertaining to its IP address.
The ARP Request message contains Xs MAC and IP addresses. All hosts make an entry with this mapping in their respective ARP caches.

Y sends a unicast ARP Reply message containing its MAC and IP addresses directly to X.
X now knows Ys MAC and IP addresses, and makes a corresponding entry in its ARP cache.

Entries in ARP caches are designed to time out, typically after a few minutes. When this happens, the ARP process is repeated.
1 4

Back to LANs

1 5

 Take the previous diagram and connect the two segments together to make one physical LAN segment (not recommended). Hosts on one subnet still could not communicate with hosts on the other subnet because
Hosts are aware of their subnet and will only ARP for addresses in their subnet. For example, 10.1.1.11 will not ARP for 10.1.2.11. To get to hosts on another subnet, an IP gateway is required.

But broadcasts (including ARPs) would be seen by all hosts because

The broadcast is at the MAC layer (L2) and is seen by all hosts on the same physical LAN segment.
1 6

 But wait. We said that each IP subnet had a broadcast IP address, so why doesnt that limit the broadcast to just one subnet? Yes, the broadcast address for subnet 10.1.1.0 with mask 255.255.255.0 is 10.1.1.255. And the broadcast address for subnet 10.1.2.0 with mask 255.255.255.0 is 10.1.2.255. But hosts cant communicate using IP addresses, so these IP broadcasts are converted to MAC broadcasts. The sequence is as follows
Host 10.1.1.11 sends a broadcast packet to 10.1.1.255. The IP packet with destination broadcast IP address 10.1.1.255 is encapsulated in an Ethernet frame with destination broadcast MAC address FFFFFFFFFFFF (hex for 48 binary ones). Every host on the LAN segment sees the MAC broadcast. Only hosts on subnet 10.1.1.0 dig deeper into the IP packet. Hosts on subnet 10.1.2.0 must examine the MAC broadcast, but ignore the IP broadcast because it pertains to a different subnet.
1 7

 Now it should be more clear why a LAN segment typically has only one associated IP subnet. Why broadcast messages to hosts that dont need to see them? In most cases it is preferable to maintain a 1-to-1 mapping of a L2 broadcast domain (physical LAN segment) to a L3 broadcast domain (logical IP subnet).
Note: Having two different routers with different subnets on one LAN segment can also cause serious problems with routing in rare configurations, which will not be discussed in detail here.

1 8

 Enter the router - the IP gateway. This is a L3 (network layer) device. Now when host 10.1.1.11 wants to send an IP packet to host 10.1.2.11, host 1.11 forwards the packet to the gateway (1.254 in this diagram). This router forwards the packet directly to the 2.11 host because the 10.1.2.0 subnet is directly connected. Otherwise, the packet would be forwarded to the next hop router en route to that subnet. The router, which is a L3 boundary, is a broadcast barrier.
Broadcasts on one subnet are not transmitted across the router to the other subnet, unless specifically configured to do so.
1 9

 What if we were to connect the two LAN segments together? (again, not recommended, and might produce an error condition on the router)
Hosts on one subnet would still require the router to communicate with hosts on the other subnet. But now the broadcasts would leak from one subnet to the other, because weve created one LAN segment. We have one L2 broadcast domain (LAN segment) with two L3 broadcast domains (IP subnet) :-(

2 0

Transition to VLANs

2 1

 A smart L2 switch is required to implement VLANs, which are specified in the IEEE 802.1Q standard.
Hubs no longer apply, because they are simply dumb repeaters that operate at L1. Simple switches with no 802.1Q intelligence also do not apply.

A filtering database resident on the switch keeps track of which ports belong on which VLAN. Every port belongs to at least one VLAN, which is the port/native VLAN.
The 802.1Q standard and most Cajun switches call this the port VLAN, with an associated port VLAN ID (PVID). Cisco switches call this the native VLAN. Although VLAN1 is the default port/native VLAN, this can be changed on a per port basis by configuration.

What was once a physical LAN segment is now a logical VLAN.

2 2

 If we want to add a second VLAN, we dont need a second switch.

We simply create another VLAN on the same switch and assign the desired ports to that VLAN (we change the port/native VLAN on the desired ports). The switchs filtering database maintains the port-to-VLAN mapping. This diagram is analogous to having two separate switches or LAN segments.

By default a host pertains to the port/native VLAN of the connected port, and must be configured with the proper IP address for that VLAN.
In this diagram hosts on VLAN1 are on one IP subnet, and hosts on VLAN2 are on a different IP subnet, which is the correct implementation. In this diagram the switch itself is configured to be a host on VLAN1.
2 3

Continuing with the same diagram...

What was before two separate LAN segments is now two VLANs, and all the same conditions apply.
Hosts on VLAN1 cannot communicate with hosts on VLAN2 without an IP gateway. This would be true even if we physically connected the two VLANs together with a cross-over cable. Broadcasts on VLAN1 do not leak onto VLAN2, but they would if we were to connect the two VLANs together with a cross-over cable.

What if we did connect the two VLANs together with a cross-over cable?
In effect, this results in one VLAN (one L2 broadcast domain) with two subnets (two L3 broadcast domains), which is not desired. No different than connecting two physical LAN segments together.
2 4

 So how do we get the two subnets to talk to each other? Again, an IP gateway is required. And as before with two LAN segments, an external router could be used to provide the gateway function. However, this is not how it is typically accomplished.
This diagram is here mainly so that the reader can make a connection between an external router servicing two LAN segments, and one servicing two VLANs. There is no difference.

2 5

 Today it is more common to see switches with both L2 and L3 functions (Avaya Cajun, Cisco Catalyst, and many others). The switching function (L2) continues to maintain a filtering database to keep track of VLANs and ports, just as before. The routing function (L3) resident on the switch fills the gateway role previously filled by an external router, and performs many of the other functions previously performed by an external router.
Instead of physical router interfaces, we now have virtual router interfaces. Instead of physical connections between the router and the switch(es), we now have logical connections.
2 6

Continuing with the same diagram...

One major difference is the mapping between L2 and L3 domains. Remember before that it was possible for one LAN segment to have two connections from an external router to service two IP subnets, which was not recommended. In this case, we could not create another virtual router interface (L3) for VLAN1 or VLAN2 (L2), nor would we want to.
Each L2 entity (VLAN) can have only one L3 (virtual router) interface with only one IP subnet. This maintains the 1-to-1 mapping between L2 and L3 broadcast domains. The only way to add a second IP subnet to a VLAN (not recommended) would be to use an external router.
2 7

Lets recap before moving on...

A hub is a L1 device, a switch a L2 device, and a router a L3 device. A hub is a collision domain (all devices see all transmissions), so by default it has the characteristics of a broadcast domain (all devices see broadcast transmissions). A physical LAN segment (with at least one switch, lets say, to avoid argument) is a L2 broadcast domain, and so is a VLAN.
Hence a VLAN is the logical equivalent of a physical LAN segment with the caveat that a VLAN is always switched, whereas a LAN segment may contains switches and hubs.

An IP subnet is a L3 broadcast domain. Under most circumstances, we prefer to maintain a 1-to-1 mapping of a L2 broadcast domain to a L3 broadcast domain. Therefore
A physical LAN segment contains one IP subnet. A VLAN contains one IP subnet.

Each upper layer device/function is a boundary for the lower layer device/function.
A router is a boundary between broadcast domains. A switch is a boundary between collision domains.
2 8

Move forward to 802.1Q trunking

2 9

How do we interconnect two or more of these smart L2 switches together?

Physically connecting the VLANs together is one way, but it is not the recommended way.
This slide and the following are primarily for illustration purposes! Do not try this in your enterprise :-)

This creates two VLANs that traverse multiple switches.

Note: This scenario requires multiple instances of the Spanning Tree Protocol one instance per VLAN on each switch. Otherwise, a single Spanning Tree process running on each switch would cause them to block one of these links to prevent a Spanning Tree loop. Most advanced switches implement per-VLAN Spanning Tree in a proprietary implementation, as it is not yet standard.

3 0

 But we dont want to have to do this This creates five VLANs that traverse multiple switches.

BUT...
A simple wiring error through the closets could end up in this.
This is a technically valid configuration. VLANs are local to the Ethernet switch and do not have to match across switches. But probably no one would intentionally do something like this.

3 1

So how do we connect two or more smart L2 switches together and maintain VLAN numbering consistency?

We trunk the VLANs.

On each switch we configure a trunk port (can be any Ethernet port) that is logically connected to multiple VLANs. Then we connect the trunk ports together.

The numbering is kept consistent through the use of 802.1Q tags.

3 2

Terminology check
access port / link - 802.1Q terms to define a port with one or more untagged VLANs, and a link connecting two such ports. trunk port / link - 802.1Q term to define a port with multiple VLANs that are all tagged, and a link connecting two such ports. hybrid port / link - 802.1Q term to define a port with both untagged and tagged VLANs, and a link connecting two such ports. VID - 802.1Q acronym for VLAN ID PVID - 802.1Q acronym for port VLAN ID tagged frame - An Ethernet or 802.3 frame with the 802.1Q tag. clear frame - An Ethernet or 802.3 frame with no tag. VLAN trunking - a generic networking vernacular term to describe the process of forwarding multiple VLANs across a single link, whether via 802.1Q or proprietary protocols like Ciscos ISL.

3 3

802.1Q tag

3 4

802.1Q tag continued

The preceding diagram shows the IEEE 802.1Q tag and its insertion point within the Ethernet and 802.3 frames. (The term Ethernet is commonly used
to describe both types of frames, although the two are different.)

The 802.1Q tag contains 3 priority bits and 12 VLAN ID bits.

The priority bits are the reason why 802.1Q is often referred to as 802.1p/Q. The VID bits make trunking possible.

Ethernet switches and endpoints must be capable of interpreting the 802.1Q tag to make use of the tag. If an Ethernet switch or an endpoint cannot interpret the 802.1Q tag, the presence of the tag may cause problems.

3 5

How VLAN trunking works w/ 802.1Q

Continuing with the previous trunking diagram...

When one switch sends an Ethernet frame to the other, the transmitting switch inserts the 802.1Q tag with the appropriate VID (with the exception of the PVID/native VID in some cases). The receiving switch reads the VID and forwards the Ethernet frame to the appropriate VLAN.

3 6

VLAN trunking is not the same as VLAN configuration.

The VLANs must be configured independently on each switch, using any of the following methods.
manually via the CLI or web interface. with a VLAN management tool provided by the vendor. automatically with a standard protocol like GVRP (GARP VLAN Registration Protocol), which works in conjunction with 802.1Q. automatically with a proprietary protocol like Ciscos VTP (Virtual Trunking Protocol), which works in conjunction with Ciscos proprietary ISL (InterSwitch Link) trunking protocol.

802.1Q trunking simply matches VIDs across switches. It does not help if the VIDs cannot be matched

3 7

Default tagging behavior on most Catalyst switches

Every port, including hybrid/trunk ports, has a native VLAN. By default, enabling 802.1Q trunking on most Catalyst switches results in a hybrid configuration.
The transmitting switch does not tag frames originating from the native VLAN of the egress port, but tags all other VLANs. The receiving switch forwards all clear frames to the native VLAN of the ingress port, and all tagged frames to the appropriate VLAN.

Because the native VLAN is not tagged, the native VIDs do not have to match. Both of the following scenarios are technically valid, but probably no one would intentionally implement the second scenario.

3 8

Default tagging behavior on Avayas Cajun switches

Every port, including trunk ports, has a port VLAN. Other VLANs are added to a port via the bind-to-xxxx commands. In terms of egress
There is no hybrid scenario on Cajun switches. An access port with just the port VLAN sends the port-VLAN frames clear. An access port bound to multiple VLANs sends all frames clear, including port-VLAN frames. A trunk port sends all frames tagged, including port-VLAN frames.
Note: Whether in a single-VLAN or multi-VLAN configuration, 802.1Q trunking must not be enabled on Cajun switches when connecting to an Avaya TM IP phone with an attached PC, because the PC cannot interpret the tag.

In terms of ingress
An access port with just the port VLAN accepts clear frames and prioritytagged frames (frames with VID zero - discussed in the next slide). An access port bound to multiple VLANs accepts clear frames or prioritytagged frames on the port VLAN, and VLAN-tagged frames on the other VLANs. A trunk port behaves exactly like an access port in terms of ingress traffic.

3 9

VLAN ID zero (0)

VID 0 is the null VID.
It is used when the 802.1Q tag contains only priority information. The VID field cannot be removed from the tag, so zero is used to indicate that there is no VID. Because there is no VID, it is treated like a clear frame and associated with the port/native VLAN of the ingress port. 802.1Q trunking may or may not be enabled when using the null VID, provided the receiving switch is capable of interpreting the tag.

The null VID should be used to associate priority-tagged frames to the port/native VLAN of the ingress port.
The point of the null VID is that the frame belongs on the port/native VLAN, regardless of what it may be. It should not be necessary to tag a frame with the PVID/native VID; the switch should associate VID zero with the port/native VLAN.
This becomes critical for PCs with NICs that are capable of tagging the priority value but not the VID, and thus leave the field as zero.

Although zero should be used, tagging with the PVID/native VID instead of zero typically does not hinder operation. Some Cisco switches actually require this because they dont understand VID zero. Note: There is no null priority. Priority zero is a priority with value zero.
4 0

Sample of how Cisco handles VLAN ID zero (results from lab testing)
Catalyst 6509 w/ CatOS 6.1(2): Accepted VID zero for the native VLAN when 802.1Q trunking was enabled on the port. In this case, all but the native VLAN should be cleared off the trunk. Catalyst 4000 w/ CatOS 6.3(3): Would not accept VID zero for the native VLAN. Opened a case with Cisco TAC, and TAC engineer said it was a hardware problem in the 4000. Bug ID is CSCdr06231. Workaround is to enable 802.1Q trunking and tag with native VID instead of zero. Again, clear all but the native VLAN off the trunk. Catalyst 3500XL w/ IOS 12.0(5)WC2: Accepted VID zero for the native VLAN when 802.1Q trunking was disabled on the port. Conclusion: Note the hardware platform and OS version and consult Ciscos documentation, or call TAC.

4 1

How Cajun handles VLAN ID zero

All Cajun switches accept VID 0 as pertaining to the port VLAN, regardless of how the Cajun is configured.

4 2

To tag or not to tag

To tag
Tag with the proper VID and desired priority when transmitting to a hybrid port and the frame belongs on a VLAN other than the port/native VLAN. Tag with VID 0 and the desired priority when transmitting to a hybrid port and the frame belongs on the port/native VLAN. Tag with VID 0 and the desired priority when transmitting to an access port.
The switch should accept this and forward the frame to the port/native VLAN. This would only be done if the priority value is significant (non-zero). Otherwise, there should be no tag at all.

On hybrid ports, a Catalyst switch tags the non-native-VLAN egress traffic with the proper VID and priority.

4 3

To tag or not to tag

Not to tag
Do not tag when transmitting to a hybrid port and the frame belongs on the port/native VLAN and has no special priority requirement. Do not tag when transmitting to an access port and the frame has no special priority requirement. By default, Catalyst switches do not tag native-VLAN egress traffic at all, even if the frame has a non-zero priority. Cajun switches do not tag port-VLAN egress traffic unless 802.1Q trunking is enabled.
This is to accommodate devices that do not understand the tag, and would thus misinterpret or discard the tagged frame. To forward priority information from the port/native VLAN to another switch, the link must be a trunk link, meaning that the port/native VLAN must also be tagged.

Pure speculation: The 802.1Q tag came after the Ethernet frame to facilitate VLAN trunking and L2 priority tagging. The tag is not integrated into the Ethernet frame but is added to it when necessary. As VLAN trunking and priority tagging become commonplace with the proliferation of 802.1Q-capable NICs and network devices, we may see the 802.1Q tag become integrated into the Ethernet frame.

4 4

Finally, some scenarios

4 5

 Here are two variations of a common scenario. Routing between VLANs is performed by the L2/L3 switch.
This is the distribution switch.

Users connect to L2 switches.

These are access switches that may or may not be VLAN-capable.

This can be expanded out to many more VLANs than shown.

4 6

 Here is another variation of the same scenario. Routing between VLANs is still performed by the L2/L3 distribution switch. But now the access switches have multiple VLANs, and the uplinks to the distribution switch are hybrid or trunk links. VLAN1 is the management VLAN in this setup.
The access switches are hosts on VLAN1. Management stations, such as an SNMP server, are connected to VLAN1.

VLANs 2-5 are user VLANs for devices such as user PCs.
4 7

 Here is a different scenario. Now the access switches are also L2/L3 switches. Each access switch routes its own user VLANs (101-104). The distribution switch routes between access switches and other external networks. VLANs 1-5 are uplink VLANs; there are no users on these VLANs.
Each uplink VLAN connects a group of access switches to the distr switch.

VLANs 101-104 are user VLANs.

These VLANs are local to their respective access switches. Broadcasts from these VLANs are not transmitted across the uplinks.

In the previous scenario the user VLANs traverse the access and distribution switches, which results in broadcasts across the uplinks.
4 8

 Here weve added an IP telephony twist. The even-numbered user VLANs are data VLANs. The odd-numbered user VLANs are voice VLANs. PCs are connected into the even VLANs and IP phones are connected into the odd VLANs. But some of the PCs must piggyback on the phones to share a common port. So we make the shared ports hybrid or multi-VLAN ports, make the even VLAN the port/native VLAN, and tag the phone traffic with the odd VID.
The clear PC traffic is forwarded to the port/native VLAN, and the tagged phone traffic is forwarded to the appropriate VLAN.
4 9

Conclusion
At first the Ethernet LAN was a shared coax bus (thick-net, thin-net). The hub replaced the coax bus, but there were still collisions on the hub. The switch replaced the hub and removed the collisions, but the switch itself was one L2 broadcast domain. Then smart L2 switches came along that could create multiple VLANs (multiple L2 broadcast domains) on a single switch. IEEE 802.1Q is the standard that brought this about.
The 802.1Q tag facilitates VLAN trunking between these switches. At some point L3 (routing) functionality was added to these switches to remove the need for an external router in many cases.

Real-time applications, such as IP telephony, have increased the practice of using the 802.1Q tag for priority tagging as well as VLAN trunking. NICs with priority-tagging capability already exist. Its probably only a matter of time before PCs are able to assign different priority values to different applications and tag them accordingly. Is it a stretch to speculate that one day endpoints will have the capability to tag different applications to different VLANs and source them from different IP addresses?
2002 Avaya Inc. All Rights Reserved. DA/LHP 7/8/02

5 0