Hi there, I have a research project to do abotu VLANS and I am having trouble about what it exactly is. Can someone please explain to me wha tone is and how it works? Thanks much.
What is a VLAN and how does it work?
- Thread starter Aznguy1872
- Start date
a VLAN is a virtual LAN. It allows multiple users to be grouped together in a common IP subnet without worrying about physical location.
For example: we have Bob, Sally, Manny and CHuck on the 1st floor; Connie, Mel, Sam and Mike on the 3rd. All of them are connected to different switches...the IT manager can group all of their ports together into a single VLAN (IP subnet). You can do this for a number of reasons but the most likely is security. VLAN #1 and VLAN #2 are normally invisible to each other and as far as the users can tell, those other networks don't even exist. To "jump" from VLAN to VLAN requires the services of a router or Layer 3 switch, which can then apply rules to limit access across the network barrier.
HTH.
here are some "official" definitions:
http://www.google.com/search?hl=en&hs=2...client=firefox-a&rls=org.mozilla:en-US
fficial&oi=defmore&defl=en&q=define:VLAN
For example: we have Bob, Sally, Manny and CHuck on the 1st floor; Connie, Mel, Sam and Mike on the 3rd. All of them are connected to different switches...the IT manager can group all of their ports together into a single VLAN (IP subnet). You can do this for a number of reasons but the most likely is security. VLAN #1 and VLAN #2 are normally invisible to each other and as far as the users can tell, those other networks don't even exist. To "jump" from VLAN to VLAN requires the services of a router or Layer 3 switch, which can then apply rules to limit access across the network barrier.
HTH.
here are some "official" definitions:
http://www.google.com/search?hl=en&hs=2...client=firefox-a&rls=org.mozilla:en-US
fficial&oi=defmore&defl=en&q=define:VLANtagging and untagging is used to determine the priority of traffic.
Hypothetical: 2 (VLAN #1 and VLAN #2) network streams arrive at 1 port simultaneously, which one goes 1st? with tagging, the IT folks can say that VLAN #2 traffic is more latency sensitive and should go 1st to avoid disrupting the enduser experience (ie voice or video traffic or the CEO download of porn). this is very common in high traffic networks with mission critical applications (voice is the most common) competing with "regular" traffic. Voice goes 1st otherwise you have some issues with your phones.
Tagging can occur on both layer 2 (ethernet) and layer 3 (IP) headers. So with L2 tagging, you can tag traffic from mac address A to go ahead of mac address B and with layer 3 "aware" switches they can peak into the IP header and see the tag and act on just the tag, but nothing else.
Confused yet?
Hypothetical: 2 (VLAN #1 and VLAN #2) network streams arrive at 1 port simultaneously, which one goes 1st? with tagging, the IT folks can say that VLAN #2 traffic is more latency sensitive and should go 1st to avoid disrupting the enduser experience (ie voice or video traffic or the CEO download of porn). this is very common in high traffic networks with mission critical applications (voice is the most common) competing with "regular" traffic. Voice goes 1st otherwise you have some issues with your phones.
Tagging can occur on both layer 2 (ethernet) and layer 3 (IP) headers. So with L2 tagging, you can tag traffic from mac address A to go ahead of mac address B and with layer 3 "aware" switches they can peak into the IP header and see the tag and act on just the tag, but nothing else.
Confused yet?
Whoa, yeah, lol. all this tagging stuff seems confusing. I thought tagging means that these ports go to this VLAN or something, maybe I am wrong. But I'll try to understand what your trying to say. THanks for the time and help.
I know I'm kinda resurrecting this thread, but I'm also having trouble understanding vlans, or rather, their capabilities. First of all, aren't vlans assigned by port? So how can you have two vlans talking on the same port? Can the vlans overlap ports? Can you have vlans share an uplink port to another managed switch? How would that configuration look? It's just not clicking with me.
Usually, they are assigned by port. However, there are such things are dynamic vlans which are assigned by the MAC address. On a dynamic port, only one vlan can be assigned at a time.
You can assign multiple vlans to a single port (up to 250 or 64 depending on the model). However, you cannot configure multiple vlans to a port when trunking is configured because multi-vlan ports are not encapsulated.
Yes, vlans can share uplink ports to another managed switch. This is called vlan trunking. Trunkin encapsulated the vlan info via a vtp protocol (isl, atm, 802.1q, ect). Here is a very quick config example, with 2 seperate static vlans setup on a fa ports and trunking the gig port to carry the vlan info:
interface FastEthernet0/1
switchport access vlan 70
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 70
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 80
switchport mode access
!
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk encapsulation dot1q
!
You can assign multiple vlans to a single port (up to 250 or 64 depending on the model). However, you cannot configure multiple vlans to a port when trunking is configured because multi-vlan ports are not encapsulated.
Yes, vlans can share uplink ports to another managed switch. This is called vlan trunking. Trunkin encapsulated the vlan info via a vtp protocol (isl, atm, 802.1q, ect). Here is a very quick config example, with 2 seperate static vlans setup on a fa ports and trunking the gig port to carry the vlan info:
interface FastEthernet0/1
switchport access vlan 70
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 70
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 80
switchport mode access
!
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk encapsulation dot1q
!
I added some more info about different types on trunking as well as assigning multiple vlans per port.
ISL (interswitch link) is a cisco proprietary vtp, so if you have an all cisco network you might use this. Or, if you had a Cisco connecting to a 3Com switch, you would want to use 802.1q to encapsulate the vlan info between the 2 different vendor switches.
Also, keep in mind that EVERY switch is setup with vlans, even if you dont assign them. By default, every port is in a default vlan, VLAN1.
ISL (interswitch link) is a cisco proprietary vtp, so if you have an all cisco network you might use this. Or, if you had a Cisco connecting to a 3Com switch, you would want to use 802.1q to encapsulate the vlan info between the 2 different vendor switches.
Also, keep in mind that EVERY switch is setup with vlans, even if you dont assign them. By default, every port is in a default vlan, VLAN1.
I also have one other question, becuase this would be useful for us...
Can you have a trunk connect two managed switches that have unmanaged, dumb hubs, in between them? OR, maybe even routers or bridges in between them?
Can you have a trunk connect two managed switches that have unmanaged, dumb hubs, in between them? OR, maybe even routers or bridges in between them?
"dot1q" refers to 802.1q, which is the standard describing the protocol.
Using 802.1q (instead of something like Cisco's ISL) permits inter-vendor communication of the trunk. 802.1q and ISL are "tagging" schemes; when a frame enters an 802.1q-enabled port, a "tag" is added onto (or into, depending on the scheme) the frame that describes which VLAN the frame is associated with.
The tag is stripped when the frame exits the "last switchport" enroute to the client.
A trunk is a single physical connection that carries multiple VLAN-tagged frames .
All devices in the path must be enabled for the tagging scheme you are using; the tags may expand the frame beyond the normal maximum size and the tagging information added to the frame makes it appear to be corrupted to a device that is not tag-enabled.
If a tagged frame hits a device that is not configured for tagging, the frames are usually discarded.
Routers are usually configured to handle the 802.1q tags by creating "sub-interfaces" - each sub-interface represents a given VLAN and can route between the VLANS and/or other networks/subnetworks as if each were a separate physical connection.
You cannot use hubs as a VLAN transit device (no trunkport capability), but you can plug a hub into a tag-enabled port of a switch, and all frames from the hub will be tagged with the VLAN associated with the switchport that the hub is connected to. The same goes for an unmanged / non-tagging switch.
If you terminate a trunk into a router that is not configured for VLANs ((802,1q, ISL, or other vendor propriatery scheme) then the router can only "see" the "native" VLAN (the Native VLAN does not tag the frame). In most cases, the Native VLAN can be defined as any VLAN ID, by default for most vendors, it's usually VLAN 1.
Here's a link to Cisco's "Internetworking" book online. Check out the link to "Tag Switching":
Cisco Internetworking
FWIW
Scott
Using 802.1q (instead of something like Cisco's ISL) permits inter-vendor communication of the trunk. 802.1q and ISL are "tagging" schemes; when a frame enters an 802.1q-enabled port, a "tag" is added onto (or into, depending on the scheme) the frame that describes which VLAN the frame is associated with.
The tag is stripped when the frame exits the "last switchport" enroute to the client.
A trunk is a single physical connection that carries multiple VLAN-tagged frames .
All devices in the path must be enabled for the tagging scheme you are using; the tags may expand the frame beyond the normal maximum size and the tagging information added to the frame makes it appear to be corrupted to a device that is not tag-enabled.
If a tagged frame hits a device that is not configured for tagging, the frames are usually discarded.
Routers are usually configured to handle the 802.1q tags by creating "sub-interfaces" - each sub-interface represents a given VLAN and can route between the VLANS and/or other networks/subnetworks as if each were a separate physical connection.
You cannot use hubs as a VLAN transit device (no trunkport capability), but you can plug a hub into a tag-enabled port of a switch, and all frames from the hub will be tagged with the VLAN associated with the switchport that the hub is connected to. The same goes for an unmanged / non-tagging switch.
If you terminate a trunk into a router that is not configured for VLANs ((802,1q, ISL, or other vendor propriatery scheme) then the router can only "see" the "native" VLAN (the Native VLAN does not tag the frame). In most cases, the Native VLAN can be defined as any VLAN ID, by default for most vendors, it's usually VLAN 1.
Here's a link to Cisco's "Internetworking" book online. Check out the link to "Tag Switching":
Cisco Internetworking
FWIW
Scott
her209
No Lifer
- Oct 11, 2000
- 56,336
- 11
- 0
Say you have three VLANs: VLAN1, VLAN2, VLAN3.
Your servers are in VLAN3. You don't want VLAN1 and VLAN2 to be able to communicate to each other directly, but both need access to the same servers. You would make every port that is in VLAN3 also a member of VLAN1 and VLAN2.
how c-n you put ports in different VL-Ns if it isn't trunk?
how -re bro-dc-st/mulitc-s-ts hndled?
how -re bro-dc-st/mulitc-s-ts hndled?
As spidey says (sans some "A"s), I have never seen a single port have multiple VLANs on it without it being A) a Trunk port or B) community/promiscuous/private.
I could just be ignorant - if so, please elaborate as it would be very handy.
Ok, I would like have a vlan trunked through a linux router. So lets say I have:
switch1 -------- router ---------- switch2
Basically I want 1 computer on switch2 to act like it is on the other side of the linux router (like it was connected to switch1). If I set up a VLAN for the computer on switch2 and set the pot connected to the router as the trunk, would I have to do any configuration on the linux router? Or does linux (Netfilter, I guess it would be) automatically know about trunks and q-tagging and pass the VLAN tagged packets on to switch1?
switch1 -------- router ---------- switch2
Basically I want 1 computer on switch2 to act like it is on the other side of the linux router (like it was connected to switch1). If I set up a VLAN for the computer on switch2 and set the pot connected to the router as the trunk, would I have to do any configuration on the linux router? Or does linux (Netfilter, I guess it would be) automatically know about trunks and q-tagging and pass the VLAN tagged packets on to switch1?
Brazen,
That can't be done.
A LAN is a broadcast domain. A router by very definition is the boundary of a broadcast domain. You can't trunk through a router without some very sophisticated features and knowledge (QinQ trunking)
So you can't pass your tagged traffic through a router. To do what you're trying to do (make the router act like a switch) then you need to have the router do bridging. But at that point it isn't really a router, it is a bridge.
That can't be done.
A LAN is a broadcast domain. A router by very definition is the boundary of a broadcast domain. You can't trunk through a router without some very sophisticated features and knowledge (QinQ trunking)
So you can't pass your tagged traffic through a router. To do what you're trying to do (make the router act like a switch) then you need to have the router do bridging. But at that point it isn't really a router, it is a bridge.
Yeah, I know, I'm just grasping for straws. I need to figure something out and I don't want to have to run extra cable just for that one computer.
VPN! It is designed to allow a host to become a member of a routed/disparate/remote LAN. Well, sorta. But a VPN will allow a host on Segment#2 to be on Segment#1 without any recabling.
I thought about that, but there are 2 problems: 1) I need to make sure the computer on Switch2 can not access any of the other computers on switch2, and 2) This isn't a "computer" in the standard sense - It's an HVAC controller.
I think I've figured out a solution:
Reading around, I've found I can create a virtual interface on the linux router that can be attached to a VLAN. So for instance I can create a virtual interface on VLAN2 and set up switch2 to put that one computer on VLAN2. Then I'll just assign that computer it's own subnet and it will act like it's attached to a competely seperate interface on the router and on it's own switch, thanks to VLANs, without adding any additional equipment clutter!
In cisco parlance that is usually referred to as a sub-interface with 802.1q encapsulation. I do not know if this will fix your router-in-the-middle problem though. Give it a go ... if your router will let you bridge eth0 and eth1.vlan2, then wow, who needs network design!?
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 19K
-
-
-
Facebook
Twitter