This article is meant to be an initial introduction for beginners on the subject of VLANs (Virtual LANs). It will touch lightly on subjects such as what is the benefit of using VLANs, some usage scenarios, as well as types of VLAN tagging. It is not intended as a How-To guide. Go to the Related Articles section below to see other more specific and advanced articles.
Table of Contents
- Introduction to Virtual LANs (VLANs) and Tagging
- Typical Usage Situations
- VLAN Tagging
- Related Articles
Introduction to Virtual LANs (VLANs) and Tagging
Virtual LANs (VLANs) allow network administrators to subdivide a physical network into separate logical broadcast domains. On a standard Layer 2 network, all hosts connected to a switch are members of the same broadcast domain; and broadcast domains can only be physically separated across different switches by routers.
As networks scale, it becomes necessary to introduce multiple broadcast domains in order to segment traffic for performance, security or logistics reasons. Without the use of VLANs, this would typically require each network segment to have its own separate switch infrastructure, with one or more routers managing communication between each switch segment.
A VLAN represents a broadcast domain. VLANs are identified by a VLAN ID (a number between 0 – 4095), with the default VLAN on any network being VLAN 1. Each port on a switch or router can be assigned to be a member of a VLAN (i.e., to allow receiving and sending traffic on that VLAN). For example: on a switch, traffic that is sent to a port that is a member of VLAN 100, may be forwarded to any other VLAN 100 port on the switch, and it can also travel across a trunk port (connections between switches) to another switch and forwarded to all VLAN 100 ports on that switch. Traffic won't, however, be forwarded to ports that are on a different VLAN ID.
This effectively allows a network administrator to logically split up a switch, allowing multiple broadcast domains to coexist on the same hardware, but maintaining the isolation, security, and performance benefits of using completely separate switches.
As VLANs are a Layer 2 protocol, Layer 3 routing is required to allow communication between VLANs, in the same way a router would segment and manage traffic between two subnets on different switches. In addition, some Layer 3 switches support routing between VLANs, allowing traffic exchange to occur at the core switches, increasing performance by avoiding sending traffic through the router.
In order to implement VLANs, the routers and switches must support VLANs. Although there are several proprietary protocols in existence, the most commonly used protocol for configuring VLANs is IEEE 802.1Q. Switches that support VLANs are often called "Managed" switches, but it is important to know this can be a misused marketing term and doesn't guarantee VLAN support. All of Ubiquiti’s routers, wireless solutions and most switches support the 802.1Q VLAN protocol, and are interoperable with third-party hardware using the same protocol.
Typical Usage Situations
A few examples of what VLANs can be used for:
- To separate network management traffic from end-user or server traffic.
- To isolate sensitive infrastructure, services, and hosts such as corporate users from guest users.
- To prioritize or implement Quality of Service (QoS) rules for specific services, such as VoIP Phones.
- To provide network services for different clients in an ISP, Datacenter or Office Building using the same switch and router infrastructure.
- To separate groups of hosts logically, irrespective of physical location—for example, allowing Human Resources employees to share the same network subnet and access the same network resources, regardless of their location within the building.
The definition and usage of the term VLAN Tagging varies greatly depending on what hardware vendor is used. In order for 802.1Q compatible hardware to identify what VLAN a data packet belongs to, an 802.1Q Header is added to the Ethernet frame which specifies the VLAN ID.
This VLAN ID tag may be added or removed by a host, a router, or a switch. Within the network, physical ports are configured as untagged or tagged for a specific VLAN—determining whether to accept and forward traffic belonging to each VLAN ID. Let's take a closer look at each one.
Untagged: a VLAN that is untagged is also sometimes referred to as the "Native VLAN". Any traffic that is sent from a host to a switch port that doesn't have a VLAN ID specified, will be assigned to the untagged VLAN.
This option is typically used when connecting hosts such as workstations or devices like IP cameras that don't tag their own traffic, and only need to communicate on one specific VLAN. A port can only have one Untagged VLAN configured at a time.
Tagged: Assigning a tagged VLAN to a port adds that port to the VLAN, but all ingress and egress traffic must be tagged with the VLAN ID in order to be forwarded. The host connected to the switch port must be capable of tagging its own traffic, and be configured to do so with the same VLAN ID.
Tagged VLANs (as opposed to Untagged) on a port are typically used when connecting to a host that needs access to several networks at once using the same interface, such as a server providing services to more than one department in an office. It can also be used when connecting two switches, in order to restrict access to a VLAN to hosts connected to a downlink switch for security purposes.
Trunk: A trunk port is typically considered a member of all VLANs—it will accept and forward traffic on any VLAN ID and is typically configured for the uplink and downlink ports between switches and routers.
Although each Ubiquiti product family uses a different approach to configuring VLANs, they all follow the same Untagged, Tagged, Trunked method of managing traffic and are interoperable.
For more information on configuring VLANs on a specific product, please see the articles in our section below.