A Virtual LAN (Vlan) is a logical grouping of hosts on a layer 2 network that may or may not be on the same switch or network segment. In fact, computers that are several switches and network segments apart can be in the same Vlan. Location and geographic location is not a constraint. The only requirement is that they are on the same broadcast domain.
Network switches and host computer network cards communicate using MAC (media access addresses). Network interface cards have these unique hardware addresses assigned by the manufacturer and burned in at build time. Every MAC address is globally unique. It is the address that computers and network switches use to forward packets to one another. This is what is termed “layer 2” or the data level of a network. A layer 2 network consists of hosts and switches that fast switch packets around the local area network (LAN) based on the MAC address. Because network interface cards talk directly to other network interface cards or switch ports, communication is done at a hardware level so it is extremely quick. The common language or the protocol used to communicate is called Ethernet.
Ethernet is commonly mistaken for the cabling system that is characterized by its ubiquitous presence in every office around the globe. However, Ethernet is not the gray cable or the little telephone like connector – they are Cat 5 & RG45 respectively – it is the framing protocol, the standard that enables hosts to construct meaningful messages and transmit them successfully across the LAN and provides us with the facility to create Vlans.
So what is an Ethernet frame? A data packet on an Ethernet link or LAN is actually an Ethernet packet and it has an Ethernet frame as the payload. An Ethernet frame can be represented as in diagram below.
An Ethernet frame as depicted above has the very first field as the Destination Mac Address, the second Field is the Source MAC address. However, there is another field of interest that is the frame following the MAC Source address, this frame is called the 802.1q tag.
The 802.1q tag contains the 802.1p priority code and the Vlan identifier.
This Vlan identifier is how an Ethernet frame can be marked to be different from other frames. The Vlan tag can define its Vlan membership. Now the network switch when receiving a packet can look inside and check the frames value for not just the source and destination addresses but also the Vlan ID.
Remember how a network switch works, a switch learns, which hosts are contactable through which of its ports, and it builds tables so that it effectively learns which hosts are contactable out each port. Well now, the switch can also learn, which Vlan members are located on which ports, and which broadcast traffic it should transmit or block per port. The switch, by blocking or transmitting layer two broadcasts, dependent on the Vlan identifier has effectively created broadcast domains. This enables network administrators to segregate hosts and their traffic even though they share the same wire. Additionally, administrators can now group hosts from different network segments many switches away from one another into the same virtual LAN as if they were sitting on the same local switch. This is all possible by assigning a Vlan ID to the 802.1q packet.
So how do network administrators configure Vlans? Well the first step is to plan which hosts are to be members of which Vlan. It is very important to remember here that once the hosts are placed in Vlan 2, for example, then they can only communicate directly with other members of Vlan 2. This is because everyone else will be in Vlan 1, the default Vlan. For hosts in Vlan 1 to communicate with hosts in Vlan 2 the traffic will require to pass through a router at layer 3.
Once the network administrator has ascertained which hosts will be members of which Vlan it is simply a case of placing each host into the appropriate Vlan.
The configuration examples are based on Cisco IOS.
A Vlan is configured, added or removed on the local switch in configuration mode. The following parameters can be set when creating and updating or modifying the vlan database.
- Vlan ID (2 -4094)
- Vlan name
- Vlan Type
- Vlan state ( active or suspended)
Vlan configuration mode is entered through the vlan database privileged exec command, the enter the VLAN id to create a new Vlan or to edit an existing Vlan.
Switch# vlan database
Switch(vlan)# vlan 20 name test20
Alternatively enter vlan-config via the global configuration mode, again by entering a Vlan id to create a new Vlan or to edit and existing Vlan.
Switch# configure terminal
Switch(config)# vlan 20
Switch(config-vlan)# name test20
Now that the Vlan has been created in the local Vlan database on the switch the next step is to start assigning switch ports that connect to directly connected Vlan members.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 2
The configuration above places fast Ethernet port 0/1 into Vlan 2
The command switch port mode access – defines the port as being a layer 2 access port.
The final command switch port access vlan 2 – assigns the port to be a member of Vlan 2 (id ranges are from 2 – 4094)
Verify the configuration by entering # show interface fastethernet0/1 access port
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 2 (VLAN0002)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
This article covered Vlans, what they are, how they work and how they are configured.