What Is a Virtual LAN (VLAN) and IEEE 802.1Q?
>> What Is a Virtual LAN (VLAN)?
A LAN is a local area network and is defined as all devices in the same broadcast domain. Here is a typical LAN structure.
In the above LAN configuration, the LAN is composed of hierarchical hubs, each workgroup can be physically separated from all the other workgroups.
However, this is not always possible. Consider this example. A college staff belongs to the HR department and her compute is attached to the HR Department LAN. But she is also responsible for managing the accounts relating to research grants, general teaching and research funding. In order to do this, she needs access to the finance department LAN to check on payments from grants, purchases, etc.
However, for security reason, the server holding sensitive finance information is attached to the Finance Department LAN and has blocked access from other LANs. So this raises the problem, the staff needs to be attached to the Finance Department LAN even though her computer is physically located in the HR Department LAN.
Obviously, one solution is to move this staff to the Finance Department LAN. But financial matters are only part of her job and hence it is preferable for her to be located locally within the HR department but LOGICALLY linked to the Finance Department LAN.
This kind of problems made IEEE to produce the 802.1Q standard that allows a computer that is physically attached to one LAN to be a member of a workgroup associated with a different LAN. This total logic LAN is then called a Virtual LAN or VLAN.
>> IEEE 802.1Q Frame Format
The IEEE 802.3 Ethernet standard frame has a type/length field and all subsequent standards have retained the same frame format. The approach adopted with the VLAN (IEEE 802.1Q) standard was to introduce a new frame format.
This new frame format is shown below with a comparison to the 802.3 frame format.
The new IEEE 803.1Q frame format has two new 2-byte fields. Following the source and destination MAC address fields is the exiting type/length field. This field is set to 8100Hex and, since this greater than 1500, it is interpreted as a type value and 8100Hex indicates the VLAN protocol ID.
The next 2-byte field is composed of three subfields.
- The first is a 3-bit priority (PRI) field and has been introduced to enable (future) frames to be assigned a priority value in order to define the sequence in which frames are transmitted.
- The second subfield is called the canonical format identifier (CFI) and is used to enable a frame relating to a Token ring LAN to be embedded within the data field of this frame.
- The third subfield is a 12-bit VLAN identifier. Each workgroup is assigned a different VLAN ID and each frame transmitted by members of the same workgroup has the same identifier in this field.
The next 2-byte field is then the new length field and this indicates the number of bytes in the data field.
>> VLAN Frame Forwarding
Let’s look at the following figure so we can clearly explain how the frame forwarding operation in a VLAN works.
This LAN is based on bridging hubs with both the lowest tier of three hubs and the single hub in the upper tier all being IEEE 802.1Q compliant. Also, all the computers in this LAN have network interface cards that are IEEE 802.1Q compliant. This means all nodes in this LAN generate and process frames that are in the new IEEE 802.1Q format as shown in the previous figure.
So each computer is assigned a specific VLAN identifier that indicates the VLAN to which the computer belongs. Note that this VLAN ID can be readily changed should modifications to the current workgroups become necessary.
In the standard, each computer can be identified by either its port number, its MAC address or, in some instances, its IP address. The IP Address is found within the data field of the MAC frame and hence can lead to problems should alternative network address formats from IP be present. Also, since the port numbers associated with a computer changes whenever the computer is relocated, this also can create problems. Hence in most cases each computer is identified by its MAC address.
At startup a bridge learns the port number to which each computer is attached by reading the source (MAC) address in the header of each frame received at a port before the frame is forwarded out onto all the other ports. The port number, together with the related MAC address, is then entered into the routing table of the bridge.
The same procedure is followed with an IEEE 803.1Q compliant bridging hub with the addition that the VLAN identifier in the header of each frame is also entered into the routing table. Similarly, during the learning phase, a copy of the frame is forwarded to the hub at the higher level and this in turn creates its own routing table. The routing tables of the four bridges are also shown in the above figure.
Once the learning phase has been carried out, the routing of frames between and within each VLAN can then start. For example, assuming a PC with a MAC address of 52 sends a frame to, say, a server with a MAC address of 57, since the VLAN identifier is the same for both the PC and the sever, switch BH1 carries out the routing of the frame directly without any further transmission.
If now a PC with a MAC address of 58 and a VLAN identifier of Green sends a frame to a server with a MAC address of 67, BH1 first forwards the frame to BH0. BH0 then consults its routing table and, after determining that the server with a MAC address of 67 is also a member of VLAN Green, it forwards the frame out on port 2.
In this way, frames are routed not just on their MAC address but also on their VLAN identifier and, because of this, the load on the total network is significantly reduced by including the VLAN identifier. Also, if a frame has a VLAN identifier that is different from that in the routing table, then the frame is discarded, so improving the security of the network. This same procedure holds for both broadcast and multicast frames.
>> When Do You Need a VLAN?
It is important to point out that you don’t have to configure a VLAN until your network gets so large and has so much traffic that you need one. Many times, people are simply using VLAN’s because the network they are working on was already using them.
Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all the ports on a switch and all devices will be able to talk to one another.
You need to consider using VLAN’s in any of the following situations:
- You have more than 200 devices on your LAN
- You have a lot of broadcast traffic on your LAN
- Groups of users need more security or are being slowed down by too many broadcasts?
- Groups of users need to be on the same broadcast domain because they are running the same applications. An example would be a company that has VoIP phones. The users using the phone could be on a different VLAN, not with the regular users.
- Or, just to make a single switch into multiple virtual switches.
>> How can devices on different VLAN’s communicate?
Devices on different VLAN’s can communicate with a router or a Layer 3 switch. As each VLAN is its own subnet, a router or Layer 3 switch must be used to route between the subnets.
>> What do VLAN’s offer?
VLAN’s offer higher performance for medium and large LAN’s because they limit broadcasts. As the amount of traffic and the number of devices grow, so does the number of broadcast packets. By using VLAN’s you are containing broadcasts.
VLAN’s also provide security because you are essentially putting one group of devices, in one VLAN, on their own network.