What is VLAN?
Instructor: Mark Jacob
Duration: 9 Hours
Video Style: Classroom
In This Video:
1. Exists at Layer 2 of OSI
2. Needs a Layer 3 process to route between them
3. Hear VLAN, think ‘Different subnet’
4. Native VLAN is untagged
5. A router is a Layer 3 device
6. Trunk/tagged links carry all VLAN info between switches using 802.1q protocol
What is a VLAN? I have asked this question before and I actually got some really interesting answers. One time I heard this response. A VLAN is a Virtual Local Area Network. I thought that was a very precise answer. Doesn’t tell me anything but it is a very precise answer. Virtual Local Area Network or VLAN.
[0:29] If we back our coverage of the OSI reference model we realized that we are living at layer two when we are talking about VLANs. Imagine you had a switch, any particular vendor switch that will support VLAN and if you have a VLAN capable switch and you just plug it in there is only one VLAN active on it and typically it’s VLAN 1, which isn’t doing much good if you are trying to segregate your network traffic into multiple VLANs.
You can imagine that if I had this switch creating a second VLAN on it, it’s almost like cutting it in half. Now I have two switches. Because one of the things I just mentioned is with VLANs, we are living at layer 2 of the OSI model. So that means that if I have a layer two environment here, and I have a layer two environment on this side as well.
[1:34] Guess what, in order to have traffic pass between them, if I can imagine if I have PCs plugged in here, PCs plugged in here. If I have, for instance configured…Let’s just select. Let’s say that this PC here and this PC here are in VLAN 2 which we have created. Again, depending on whatever vendor or device you’re using to command to create the VLAN would be vendor specific.
But you create VLAN 2. Now, in order to have traffic flow between these two VLANs…If you imagine they are two completely separate networks…In fact, that’s probably a good thing to pencil away in the back of your mind is, every time I hear VLAN, the N in VLAN stand for network, so a different VLAN is a different network or a different subnet. So we keep that in the back of our minds.
[2:31] If I had a situation where I want to traffic, and let’s flash forward, let’s add a device. Let’s instead say I had a situation that looked like this. I have a router in my…hold on…environment here.
Try again. Aha, I have a router. The router has two interfaces. The left side of the router is one network. The right side of the router is another network. That’s why you have a router, so that you can have traffic flowing between different networks. [3:14] It takes, and again, think back to the OSI discussion. What layer of the OSI model are we talking about here for introducing a router? Of course, we are talking about layer three in order to move traffic between different networks.
[3:29] So if we go back to our previous slide here, we have these two PCs that are in VLAN 2, and just to make it easy, we put colors on them. But VLAN 2, so if these represent two different networks, thinking about what we just discussed, what network device, or what functionality is required in order to get traffic to flow between these two networks?
To answer our own question, that would be a layer three device, typically a router or layer three switch, depending on, a lot of companies, they are moving pretty much everything to layer three switching. Regardless, you need some type of a layer three process in order to move traffic between these VLANs. Again, let’s go back to the basics about talking about VLANs.
[4:17] In order to have traffic flow in your network, let’s say for instance we have more than one switch. I’d have PCs down here. In fact, let’s begin, throw some color on it and say all right, I’ve got some PCs here in the blue VLAN, I’ve got some PCs in the green VLAN.
I need these devices to share this VLAN information. They don’t just intrinsically know, kind of like osmosis. No, no, no. They need to share that information over what is called a tagged or a trunk link. A tagged or a trunk link is a link, and it’s just a cable, that carries all, by default, the VLAN traffic from switch to switch.
[5:08] That way, if say for instance, let’s assign a port value to this. This is port two. I’ll put one, two, and three. This is port one and two. I would have some type of configuration statement that said port two is in VLAN blue. Let’s put even some numbers on it.
Let’s say that the blue VLAN is VLAN 10, and the green one is 20. Again, I’m just picking numbers at random. There would be some type of configuration command that would allow the switch to be told, hey, port two is in VLAN 10. Up here, on this one, port one is in VLAN 10. We don’t really care.
[5:48] In fact, if you think about it from the standpoint of the PC, PC of let’s say a workstation of one of the users, plugged into the wall. If you follow that through the ceiling or wherever it goes, it’s eventually going to be plugged into a switch in your network that has been configured with some type of VLAN information.
An important thing to keep in mind, your typical users workstation PC has no concept whatsoever of a VLAN. It just happily sends its data and gets answers back. In fact, if it got some Ethernet frame with VLAN information in it, it wouldn’t know what to do with it. I got no clue about that. I’m happy. Ignorance is bliss, as far as the PC is concerned.
[6:30] In order for traffic to flow across this trunk link, we have to say, what is the protocol that’s in use? The protocol that’s in use is an IEEE specification, and it’s called 802.1q. 802.1q, that is a trunking protocol, or a protocol that allows VLAN information to be shared between switches. Again, that is a non‑vendor specific. Any switch that speaks 802.1q can share VLAN information, all is good.
There is one other thing about this that you may wonder about. In fact, I get this question a lot. How many VLANs can a particular port be in? The answer is, just one. Let’s say there’s some configuration command, depending on your vendor’s operating system, that will say that for instance, port two is in VLAN 10.
[7:30] If I come behind that and say, I want port two to be in VLAN 30, for example, I don’t have to remember, wait a minute, don’t forget to remove it from VLAN 10. No, because putting it in VLAN 30 automatically removes it from VLAN 10, because it can’t be in both at the same time which brings up a possible, what might seem to be a conflict.
You also hear probably quite frequently, if you’re a person who’s had any dealings or association with voice‑over IP, they always tell you, or the recommendations in any text about the topic is, put your voice VLAN, or your voice traffic, in a separate VLAN from your data.
[8:13] You want to break those two out, so you can do things like quality of service. For security’s sake alone, keep it in a separate VLAN.
I gave you the example a moment ago, if I have, this is the wall of my user’s cubicle. Inside here is my connector. Up here on the desk is a voice‑over IP phone, which I’m horrible at drawing phones, so we’ll make it look like a top‑secret telephone here.
[8:38] That’s an IP phone, clearly one of the early models. In the back of this IP phone, it also has another port, which you can plug into the work station PC. Keep in mind, if you follow this around somewhere, eventually it’s going to be in some back office switch, in some port. This port has been told this information that I was mentioning just a moment ago.
VLAN 10 is this port. How in the world, then, could I have my phone have a separate VLAN than the PC if I’m only allowed to assign this port to one VLAN? To answer that question, we go back to this idea, this link between the switches called a trunk link. All VLANs, by default, will pass this link.
[9:29] Remember when I said, when you first turn on your switch, before you do any configuration at all, there’s only one VLAN on that switch, typically VLAN 1. It’s what’s called the native VLAN. If you never, ever configure VLANs, it will just stay that way. The concept of native VLANs, keep in mind, if I have information flowing from this PC to this PC, that VLAN 10 information has to get put on by the switch, sent across.
That’s VLAN 10. I have ports in VLAN 10, let me send it across.
What if, instead of information flowing through these switches, these switches are talking to each other? For instance, with bridge protocol data unit, or some message where they’re trying to talk to each other? The devices talk to each other on the native VLAN, which, as I mention, if you don’t change it is typically VLAN 1.
[10:23] But you can change it. In fact, security professionals will advise you, go ahead and change it, because everybody knows the default VLAN, native VLAN. Go ahead and change it to something else. However, if you do that, you want to make sure that you do that on all the switches in your environment. They need to agree on what the native VLAN is.
That background allows us to answer this possible quandary. How in the world can I have a VLAN for my phone, and a VLAN for the PC? Because we mentioned just moments ago, is the PC even aware of the VLAN? Is the VLAN aware? Not whatsoever.
[10:58] The phone is. Let’s say, for instance, I’m going to configure VLAN 10 as my voice VLAN, voice VLAN ID, and that I’m not going to say anything at all about my PC. Or, to even make it a little bit more fun, let’s say that on this switch I have told it that the native VLAN is VLAN 99. Let’s say, native.
There’s VLAN 99. So, realize that the native VLAN doesn’t need a tag. Remember that example of the two switches talking to each other? If they agree on whatever the native VLAN is, they don’t tag that information. It’s just well, that’s just the native VLAN.
[11:47] If the phone is VLAN aware and the phone when it senses traffic, it tags it with VLAN 10. Here, imagine you’re the switch receiving this flow of information. "Hey, I just got a frame and it’s tagged VLAN 10. I’m going to go out on a limb here and say, well that must belong to VLAN 10, and associate it with VLAN 10 and send it on its merry way."
If I’m this switch and I receive traffic on this port that is untagged, I can make an assumption. Who sent that? If it was from the phone, it would be tagged. Therefore, it must have been from the PC and the switch will say, whatever the native VLAN is, in this case like I say, we’ve assigned the native VLAN to VLAN 99.
[12:25] But if we hadn’t touched it, the native VLAN would be VLAN 1. Whatever it is, the switch says, "Hey. If it’s untagged traffic, if there’s no VLAN information in it, I’m going to assume it was from the PC and put it the native VLAN. If it’s tagged where the voice VLAN ID is, that’s from the phone and I’m going to put in the voice VLAN."
This is just a quick introduction to the idea of VLAN’s. Like I say, most enterprise environments today will use VLAN’s, because the last thing you want to do is, restrict your ability to assign users to a specific…I’m talking about geographical location, what floor of a building. You don’t want to limit yourself to being able to assign those users to locations, because you haven’t configured VLANs.
[13:11] For instance, let’s say you put your accounting department on the third floor, and you’re like, "We need to hire some more accounting people, but we’ve got no more desk space on the third floor. Guess what? Sorry, we’re not going to be able to…You guys are just going to have to work harder, 12 hour days whatever, because we don’t have any more room on the third floor."
No, that would be a horrible decision. We’re just going to have a VLAN that the accounting people are in, then it doesn’t matter what floor you’re on. Whatever port they’re plugged into would be an accounting VLAN and boom, they would all be able to communicate.
[13:39] Like I say, just a brief introduction to the concept of VLANs, and as you explore your network admin world, you’ll find that implementing and maintaining VLANs definitely makes your job easier.