Network Notes: VLAN

published: 11th of July 2018

Overview

Virtual Local Area Network (VLANs) are used to logically partition physical switch ports into multiple smaller broadcast domains.

VLAN

A VLAN is a logically segmented group of physical switchports that reduces the broadcast domain of the physical ports to the ports within the VLAN. VLANs are defined in the IEEE802.1Q standard. VLANs are identified via an ID which is a number between 1 and 4094.

Hosts within a VLAN cannot talk directly to hosts within a different VLAN. Good design principles dictate that there should be one IPv4 and or IPv6 subnet per VLAN. A layer 3 routing mechanism is required for hosts in different VLANS to communicate with one another.

Traditional VLANS

blog/network-notes-vlan/traditional-vlans.svg

VLAN isolation is local to a switch. In order to extend the VLAN isolation to more than one switch a trunk must be configured between the switches. The industry standard method to enable inter-switch VLAN communication is to "tag" ethernet frames with 802.1q tags. Cisco invented a proprietary tagging protocol named inter-switch link (ISL) which is no longer implemented in modern switches.

802.1Q Tag

blog/network-notes-vlan/8021q-tag.svg

An 802.1Q tag gets "inserted" into an ethernet frame between the source address and type/length fields. The tag is 4 bytes in length, once the tag is inserted the FCS must be recomputed.

802.1Q Tag Fields

Field Purpose
TPID Contains the HEX value 0x8100 which signals the receiver the presence of an 802.1Q tag in the frame header.
User Priority Defined in the 802.1p standard to align with CoS marking used in upper layers such as IP Precedence and MPLS EXP.
Canonical Format Indicator Used to associate the VLAN ID field with either ethernet (0) or token ring (1). Should always be set to 0 for ethernet.
VLAN ID A VLAN ID between 1 and 4094.

Private VLAN

Defined in RFC5517 private VLANs allow a switch to treat a port as a if it belongs to a VLAN while using a single subnet across multiple private VLAN ports.

Private VLANs consist of single primary VLAN and one or more secondary VLANs. From outside of the switch all ports look like they belong to the Primary VLAN. Secondary VLANs fit into two categories; community and isolated VLANs and have different levels of isolation.

Private VLAN Summary

Item Description
Primary VLAN A primary VLAN contains one or more community VLANs and promiscuous ports. A primary VLAN can contain only ONE isolated VLAN.
Community VLAN Ports in the same community VLAN can communicate directly and with promiscuous ports in the same primary VLAN.
Isolated VLAN Can only communicate with promiscuous ports in the same primary VLAN.
Promiscuous Port Can communicate with all promiscuous ports and secondary VLANs within the same primary VLAN.

Private VLANs

blog/network-notes-vlan/private-vlans.svg

Packet Captures

Various VLAN PCAPs can be found here.

Bibliography

1. Kocharians, N. and Paluch, P. (2014) CCIE Routing and Switching v5.0 Official Cert Guide, Volume 1, 5th Edition - Chapter 2: Virtual LANs and VLAN Trunking. Indianapolis: Cisco Press

http://www.ieee802.org/1/pages/802.1Q.html

https://tools.ietf.org/html/rfc5517

https://wiki.wireshark.org/VLAN

https://www.juniper.net/documentation/en_US/junos/topics/concept/layer-2-networking-ethernet-frame-forwarding-802-1q-vlan-tag-mx-solutions.html