This is the layer two engineering presentation on VLANs, part of the campus network design and operations workshop. virtual lands or vlans are what allow us to split switches into separate virtual switches the idea is only members of a villain can see that vlan's traffic interview and traffic must go through a router this for example will allow us to reuse router interfaces to carry traffic for separate subnets in cisco routers you do this using sub interfaces in juniper routers you do this using irb interfaces it is also useful in servers especially with virtualization virtual machines for different networks for example public versus private or student versus administration can be created and exist on the same physical virtualization host local villains this is where we have two or more vlans on a single switch the switch behaves as if it separates several virtual switches sending traffic only within vlan members access spots are where end nodes are connected and you're configuring them as members of a vlan by default all ports of a switch are members of vlan 1. newly created vlans must have an id other than one and then you add ports by moving them out of vlan 1 into this newly created vlan let us look at what it looks like at the diagram in this diagram we have a simple switch with two vlans the orange or amber vlan is vlan 20 the green vlan is vlan 30. in each of these vlans we have three end nodes and they're configured as access ports so you have the vlan 20 nodes and the vlan 30 nodes the vlan 20 nodes can only send traffic to other vlan 20 nodes they cannot send traffic to vlan 30 nodes this switch behaves as if you have two different switches an orange switch and a green switch so now let's talk about vlans across switches two switches can exchange traffic from one or more vlans the inter-switch links are configured as trunks in this case they'll carry frames from all or a subset of a switch vlan each frame carries a tag that identifies the vlan it belongs to you can think of the tag as a sticky note with an id with just the number of the vlan that the frame belongs to 802.1 q is the ieee standard that defines how ethernet frames should be tagged when moving across switch trunks this means that all switches that support 802.1 q from different vendors will be able to exchange vlan traffic with no problem because they will target them the exact same way so let us look at the structure of an 802.1 queue target frame in this slide we have two ethernet frames the one at the top is a normal ethernet frame the one at the bottom is an 802.1 queue target frame the numbers are the size in bytes of each field starting with the fields that are similar you have the preamble same size the start of frame delimiter they're both one byte you have the destination and source addresses remember these are mac addresses this is why they are six bytes each then for a normal ethernet frame you have a two byte type struct length field you have that data which is other layers and the crc to check for errors in the target frame after the addresses instead of the type length field you have a two byte tag priority identifier just a number to tell you which targeting protocol you're using and then a two byte tag that two byte tag has some structure which is shown at the last row at the bottom in gray you have three bits for user priority some people use this for qos we advise you not to do that and just ignore them there's another bit that is historical it used to be used to tell you if this tagged frame is on token ring or not but what is important to us is the 12 bits at the end this is where we can put our tags so those 12 bits represent your tag now since they're 12 bits you can have 2 power 12 different tags which is 4096 so if you're trying to create a vlan on a switch it will not allow you to create an id above 4095 because there's only 12 bits for the vlan tag itself and then the rest of the frame is as above note that a switch that does not understand 802.1 q tagging can forward an 802.1 q target frame because if you look at the format you start with the preamble you have the frame then you have the addresses and then the tag protocol identifier would be the type length field and that's all that a switch usually needs to for the frame some switches even for the frame just after receiving the destination address they can already start beginning to forward the frame so switch that receives this tagged frame and doesn't understand the tag will be able to for this frame based on the source and destination mac addresses the only problem is it will not be able to treat the frames from different vlans as if they belong to different switches but the protocol itself was written to be backwards compatible which is very very good so in this diagram we can look at a representation of vlans across switches we have two switches which were identically configured as the switch we have earlier each one has three nodes in vlans 20 and 30 and we've introduced a trunk port a cable on the trunk port in between these different switches and all the frames that are flowing in between the switches are tagged with orange for vlan 20 or green for vlan 30 so the switch that receives it on the other side can tell which vlan this particular frame should belong to so i've been mentioning the terms tagged and untugged frames that are sent out through access ports are not tagged these are normal ethernet frames that we saw in the slide defining 802.1 queue and also the frames that you receive are not expected to be tagged either you can typically configure your switch to ignore tagged frames on an access port this is because you're going to connect end nodes to that port these will be things like printers the network printers they'll be like desktop machines where you you you the device does not even need to know what vlan it's allocated to you only need to tag frames on switch to switch links when you are transporting multiple vlans on the trunk links and a trunk however can transport both a tagged frame an 8.1 q tag frame as well as a normal ethernet frame an untagged frame the catch is the devices on both sides the switches on both sides must agree which vlan that untagged frames are going to be assigned to.

© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.