VLANs are a topic which you basically cannot afford any wrong or right when setting it up. Therefore, it's very important to understand how VLANs work at the very bottom level. This article might not dig into VLANs' core foundations but will give you a pretty good insight into what VLANs are, how they work, and how to set them up.
1. What is a VLAN?
VLAN stands for Virtual Local Area Network and is, in easy terms, a very common way to separate networks on switches. Usually, if you'd like to separate networks, you would have to physically build up different network segments (meaning one entire network for employees, one for the guests etc.) and run them in parallel. Via VLANs, you can use the same network infrastructure to carry multiple networks at the same time. It allows the creation of virtual networks over the actual physical network devices.
To bring up an analogy: While subnets are a way to separate networks within routers or so-called "Layer-3-devices", basically IP-based devices, VLANs do a very similar thing Layer-2-devices in MAC-based networks.
The rules and standards on VLAN implementation are classified by the IEEE organization within the IEEE 802.1q standard.
2. So, how does a VLAN now really work?
A VLAN, oversimplified, works via tags. A tag consist of a few additional bytes attached to any data frame, which includes information such as the VLAN membership:
The most important portion, and the one we will mainly focus on, is the VID, the VLAN ID. This number from 1-4096 is simply a marker into "which VLAN the frame belongs".
Tagging is a very efficient way of controlling which frame belongs to which VLAN.
To understand how VLANs work in practice, imagine creating a data traffic lane when you set up a VLAN within a switch. Each lane is separated, runs in parallel, and is connected to different ports assigned to that lane. The "assignment to the lane" is our VLAN membership. How to set this up is described in many different articles linked at the very bottom of this article. But here is a graphical representation of it:
You can see the lanes running through the switches and then going to whatever port of the switch is then assigned the respective membership. So once a frame has entered the switch on a specific VLAN, it can communicate with any Port which has a membership in said VLAN. But, how does a frame become either a VLAN10, 20, or 30-assigned frame?
3. Ingress Traffic on VLANs
The definition into which VLAN an incoming frame gets assigned relies on whether or not the incoming frame already has a VLAN tag assigned to it by its source device. If there is a VLAN tag assigned to the frame, the VID content is readout. If the VID matches in its number the tagged membership of a switch port, it will be allowed "onto the lane". But way more interesting is to find out what happens with completely untagged Ethernet Frames. Here, the so-called PVID (Port-Based VLAN ID) comes into play. The PVID is responsible for choosing the right lane to place frames onto that are incoming and untagged - the PVID only comes into play on frames that match these two criteria. A port assigned with a PVID of 1 will assign untagged, incoming traffic to VLAN1 to push the traffic "onto lane #1".
By default, all networking device ports and switches are set with a PVID1 and an (untagged) membership in VLAN1. So this means that by default, if you happen to connect a computer onto a switch without any configuration done by yourself, which in turn goes to a gateway, then through the preposition of the PVID1 and untagged membership being in VLAN1, the devices can immediately communicate which each other, since the preposition placed them within the same network.
Let's take another look at another visualization:
This might look at first glance more chaotic than it is: basically, both ports connected to PC and Gateway share the default VLAN membership of VLAN1 (untagged membership -> will be elaborated on in a bit) and PVID1.
If the PC sends traffic to the gateway, the PVID1 of the lower switch-port will assign the traffic to the "lane" for VLAN1, allowing it to communicate with the upper switch-port since the membership in VLAN1 is given. Compared to a tagged membership, the untagged membership decides whether or not the VLAN is sent out with a Tag, marked with VID=1 (tagged member) or without any VLAN Tag (untagged member). In this case, since the upper port is untagged, there will be no tag added. The gateway then can respond to this incoming packet and send it back - also untagged, since the gateway has no VLAN-awareness configured to it yet. Again, the PVID1, this time on the upper switch-port, will assign the frame to the "VLAN1-lane", allow once again communication, now to the lower switch-port due to shared VLAN membership. Again, no tag will be added due to the untagged membership, making the frame acceptable for the PC, which cannot read out any VLAN-Tag information. By this process, communication between gateway and client device is established.
4. Afterthoughts and useful links
Understanding this very core principle of VLAN is a crucial step in making the right choices on setting up VLAN. Of course, We can only scratch the surface on this topic, but hopefully, this will give you a good starting point in actually understanding VLANs and knowing the difference between PVID and VLAN memberships.
Below, you may find some articles revolving around setting up VLANs on a plethora of different equipment from our portfolio:
VLANs - Tagged VLANs vs PVID (Setup Example Untagged/Tagged VLAN)
How to configure VLAN on a USG device
Separate VLANs on a ZyWALL/USG
GS1900: How to configure VLAN on Zyxel Switch
Comments
0 comments
Please sign in to leave a comment.