Lecture ‐ VLANs - Dleifnesor/NET-215 GitHub Wiki
VLANs Define Broadcast Domains
- A broadcast domain includes all devices that receive broadcasts from each other.
- VLANs split Layer 2 networks into separate broadcast domains.
- Routers are typically used to separate broadcast domains.
VLANs vs. Physical LANs
| Without VLANs |
With VLANs |
| One physical network = one broadcast domain |
Multiple logical networks from one switch |
| Requires multiple switches for isolation |
One switch can handle multiple VLANs |
| Physical layout limits flexibility |
Logical setup allows easy reconfiguration |
VLANs Span Switches
- VLANs can extend across multiple switches using trunk ports.
- A switch with VLANs can keep departments isolated, even across floors.
VLANs & Layer 3
- VLANs are often associated with IP subnets.
- Traffic between VLANs must be routed (Layer 3).
- Devices within a VLAN share an IP subnet; different VLANs = different subnets.
Benefits of VLANs
| Benefit |
Description |
| Logical Organization |
Group users by function, not location |
| Easy Moves/Adds/Changes (MAC) |
Devices can move floors without reconfiguring |
| Control Traffic |
Broadcasts stay within VLAN |
| Enhanced Security |
Segregates sensitive departments like Accounting |
VLAN Configuration
- VLANs are defined using VLAN IDs (12-bit IDs = 1–4094).
- Consistent VLAN IDs must be used across switches (e.g., VLAN 10 for Engineering).
Port Types
| Type |
Description |
| Access |
Connects to end devices; belongs to one VLAN only |
| Trunk |
Connects switches or routers; carries multiple VLANs using tagging |
Access vs Trunk Example
| Port Type |
Device |
VLAN |
| Access |
End devices (PCs) |
One VLAN (e.g., VLAN 10) |
| Trunk |
Between switches |
Carries multiple VLANs (e.g., 10 & 20) |
Trunk ports “tag” packets with their VLAN ID.
VLAN Tagging
VLAN tagging identifies which VLAN a packet belongs to as it crosses trunk ports.
- Uses 802.1Q (Dot1Q) standard.
- Tag is added to Ethernet header.
- If untagged, it's assumed to be on the Native VLAN.
IEEE 802.1Q (Dot1Q) Format
| Field |
Bits |
Description |
| Tag Protocol ID (TPID) |
16 |
0x8100, marks the frame as VLAN-tagged |
| Tag Control Info (TCI) |
16 |
Includes Priority (3 bits), Drop Eligible Indicator (1 bit), VLAN ID (12 bits) |
VLAN ID Range
- Values:
0x001 to 0xFFE (1–4094 usable)
- Some switches support fewer VLANs (e.g., max 255)
VLAN Routing
To allow inter-VLAN communication:
| Requirement |
Explanation |
| Layer 3 Device |
A router or Layer 3 switch is required |
| Trunk Ports |
Tag packets with 802.1Q header |
| Layer Header Used |
Layer 2 (Ethernet) |
Packet Sniffing Insight
- Capturing the 802.1Q tag can only be done on trunk ports.
- It’s embedded in the Ethernet (Layer 2) header.
Summary
| Topic |
Key Points |
| VLAN Purpose |
Logical separation of devices on the same physical infrastructure |
| VLAN ID |
Unique identifier (1–4094) used in tagging and configuration |
| Port Types |
Access (single VLAN) vs. Trunk (multiple VLANs via tags) |
| Routing |
Inter-VLAN traffic must go through a router or Layer 3 switch |
| 802.1Q |
Standard method of tagging frames with VLAN ID in the Ethernet header |