Introduction
Hi everyone, hope everyone is okay, before we dive into what a VLANs is, we need to understand what a LAN is. A Local Area Network (LAN) is simply a local network of devices, usually implemented in home or business settings, and is characterized by its simplicity compared to other types of networks. A standout feature of a LAN is the presence of a single broadcast domain, meaning a packet is delivered to all elements in the network.
When a switch operates in its default mode, it unifies all its network interfaces into the same broadcast domain. So, if we wanted two separate broadcast domains, we would need two switches, one for each domain. Additionally, if we wanted these two domains to communicate with each other, we would need a router.
In a local network that needs to be segmented into different parts, like a home network with separate domains for parents and children, or a small business network divided by departments such as HR, Sales, and Finance, using multiple network devices—such as one switch for each domain—would not only increase infrastructure costs but also complicate maintenance. This is where VLANs come into play. VLANs offer a way to segment the network efficiently, both technically and financially.
VLAN
When we implement a VLAN, we can virtualize smaller networks into subnets that share the same switch. This way, the networks remain isolated from each other, gaining the benefits of separate networks while reducing implementation costs since these VLANs use the same networking equipment.
Benefits of virtualization:
Reduced Processing: With fewer devices on the network, broadcast transmissions become less frequent, which means fewer unnecessary frames are received.
Security: By reducing the frequency of broadcast packets, the likelihood of information leaks is also minimized.
hint: It's important to note that you can implement firewalls between VLANs, which significantly mitigates unwanted access.
When we want to virtualize multiple networks on a single switch, we just need to configure each port to its respective VLAN. This way, logical addressing for packets is applied, and the network is segmented accordingly.
Trunking
For VLANs that span multiple switches, the process is a bit different, and understanding trunking is essential.
In some cases, to ensure connection redundancy, we need to connect two switches to each other. This helps mitigate the risk of data loss during network communication.
Although usable, this model isn't very efficient because it essentially returns to a 1:1 relationship between VLANs and ports. For example, if you created 20 VLANs, you'd need 20 ports on each switch to handle the connections.
To reduce complexity and data processing costs in such a network, a technique called Trunking is used.
Trunking allows two or more switches to send frames for multiple VLANs between each other through a single cable. This is possible because the switch adds a small piece of information to the frame's header to indicate the VLAN to which the frame belongs. This process is known as tagging.
Through tagging, the frame's header includes information such as:
hint: 802.1Q standard.
This frame, as shown in the figure, has 4 bytes distributed as follows:
TPID (Tag Protocol Identifier): 2 bytes
Tag Protocol Identifier with 16 bits. Its main function is to indicate that the frame it is inserted into is tagged and requires special handling.TCI (Tag Control Information): 2 bytes, also 16 bits, but divided into three parts:
PCP (Priority Code Point): This field has 3 bits and maps the priority of the frame. Depending on the priority, it requires different handling at the data link layer.
DEI (Drop Eligible Indicator): This field has 1 bit and indicates whether the frame can be dropped in case of congestion or not. It can be combined with the PCP information to produce different effects, but it is generally interpreted on its own.
VID (VLAN Identifier): This field has 12 bits and specifies which VLAN the frame belongs to. An important detail about this field is that its values are binary but represented in decimal form between 0 and 4095. When the VID value is 0, it means that there is no VLAN ID, and only the priority is specified using the previous fields.
"Why does this happen?"
Some networks may have switches that do not support trunking. In such cases, a special VLAN called the Native VLAN is designated. This VLAN serves as a fallback when a network device receives a tagged frame but cannot interpret it. In this situation, the frame is forwarded to the Native VLAN as a regular frame, and the Native VLAN will decide what to do with it.
Packet Forwarding Between VLANs
When we split a network into two virtualized networks, the switch is logically divided into two, meaning that frames from VLAN1 are not naturally forwarded to VLAN2 and vice versa.
But what if we need to send a packet from VLAN1 to VLAN2?
In addition to trunking, we can use packet routing. By implementing a router in our network, we offload the workload, with the switch handling Layer 2 (Data Link) and the router handling Layer 3 (Network). This introduces the use of TCP/IP in the network, as we now have routing between different networks.
hint: Different VLANs should use different subnets.
Common Errors:
If a network administrator creates two VLANs with the same subnet, as shown in the figure below:
When a host sends a packet to a host in another VLAN, for example, Host A to Host C, Host A marks the packet to be sent through VLAN1, assuming the destination machine is in the same IP range. The switch then thinks, "I received an ARP request from VLAN1, so I should only propagate this packet within VLAN1." Since the destination machine is not in this VLAN, Host A will never be able to communicate with Host C.
If the administrator separates the VLANs into two different IP networks, as shown in the figure below:
hint: vlans should not be configured with networks of different classes, this is bad practice, the examples provided are for illustrative purposes only.
Host A realizes that the destination is not within its own network because it has a different IP range. Therefore, the packet is not sent via broadcast but instead forwarded to the network gateway. The switch then knows to send the packet to another VLAN via trunking or to the router. This way, Host A can communicate with Host C easily, avoiding unnecessary traffic on the broadcast channel.
Conclusion
Thanks everyone for reading, keep in mind that getting a grip on VLANs and how they work can really boost your network’s efficiency and security. By using trunking, you can manage multiple VLANs over a single link without any hassle. And when you need to get traffic between VLANs, routing and gateways have got you covered, keeping that broadcast traffic in check and your network running smoothly.
Got more questions or need some extra info on VLANs, trunking, or routing? Just drop a comment!
Top comments (0)