Overview of VLAN and its basic theory of operation

What is a VLAN

A Virtual LAN (VLAN), as its name indicates, is a virtual or logical separation of a LAN into multiple sub-LANs, with each sub-LAN  having its own members (end nodes).

VLANs are created mainly for administrative purposes to ensure that network traffic is seen only by members of a specific group, rather than by all members of the LAN. This way confidentiality is maintained and additionally nodes are protected from unnecessary traffic. For example, in an enterprise, each department (like Engineering, HR, Accounts etc.) may be maintained as a separate VLAN. Similarly, in a campus or a university network, each department (e.g. maths, physics, computer science  etc.) would typically be part of a separate VLAN.

An Example VLAN network

See the diagram below for an example of a network with two VLANs.

A sample L2 network with two VLANs.

A sample L2 network with two VLANs.

In the above example, EN1 through EN4 belong to VLAN1 and EN5 through EN8 belong to VLAN2. The L2 switch ports S1 to S4 are configured to be part of VLAN1 and ports S5 to S8 are configured to be part of VLAN2.

L2 Broadcasts and Multicasts in VLAN aware L2 Switches

The main difference comes in the way L2 broadcast and multicast frames are handled by the L2 switches. If it is a single LAN (without VLANs), then the L2 switches forward the L2 broadcast and multicast frames to all members (end nodes) of the LAN (flooding). In case of a LAN being logically divided into multiple VLANs, then the L2 switch confines the flooding of the L2 broadcasts and multicasts frames only to members of a specific VLAN (which is the VLAN to which the end node transmitting the L2 broadcast/multicast frame belongs).

VLANs basically create separate broadcast domains within a network.

The example diagram below illustrates the handling of a L2 broadcast frame by a L2 switch.

An example of VLAN flooding by a L2 Switch

An example of VLAN flooding by a L2 Switch

In this example, one of the members belonging to VLAN 1 (say EN4) transmits a L2 broadcast frame. The L2 switch recognizes that EN4 belongs to VLAN1 and hence floods the frame only to ports that belong to VLAN1. Thus the broadcast frame is forwarded only to EN1, EN2 and EN3. The frame is not sent out of ports 5 to 8, as these ports do not belong to VLAN1.

VLAN Port Types (Access and Trunk)

Ports in a VLAN enabled L2 Switch can be of two types, namely Access and Trunk Ports. Ports that carry traffic belonging to a single VLAN are termed as Access ports. Typically the ports connecting end nodes to a L2 Switch are Access ports, as end nodes typically belong to a single VLAN. Ports that carry traffic belonging to multiple VLANs are classified as Trunk Ports. Typically trunk ports are those that connect L2 Switches and those that connect a L2 switch to a L3 Router.

The diagram given below illustrates both types of ports.

VLAN Access and Trunk Ports

VLAN Access and Trunk Ports

In the above diagram, all the 16 EN ports are access ports and the ports connecting the L2 Switches are the trunk ports. Each L2 switch has 4 End Nodes belonging to VLAN1 and another 4 End Nodes belonging to VLAN2. The diagram shows a sample frame on VLAN1 sent from EN6 to EN13 and another sample frame on VLAN2, sent from EN7 to EN11. Both frames travel via. the trunk ports connecting the two L2 Switches.

VLAN Tagging

In order for trunk ports to identify the VLAN corresponding to an incoming frame, frames sent on the trunk ports carry an additional 4 byte header named as the VLAN header inside the Ethernet frame. VLAN header is sandwiched between the L2 and L3 headers as shown in the diagram below:

An Ethernet frame with a 4 byte VLAN header

An Ethernet frame with a 4 byte VLAN header

The VLAN header contains a VLAN-ID & Priority Fields. While the VLAN-ID field is used by the L2 switch to identify the VLAN to which a frame belongs to, the priority field is used for Quality of Service (QOS) purposes to give preferential treatment to frames during congestion.
VLAN Tagging is used mainly on trunk ports. Tagging is done to outgoing frames on trunk ports of L2 Switches and removed when it enters the peer L2 Switch.

 Basic Theory of Operation of a VLAN aware L2 Switch

The mechanism of operation of a VLAN aware L2 switch is similar to that of a normal L2 Switch in that basic L2 forwarding is done using ARL tables that are built by adaptive learning of end station’s MAC address.
However, in a VLAN aware switch, the primary difference comes in the number of ARL tables maintained. While a VLAN unaware L2 switch maintains a single ARL table, a VLAN aware L2 Switch maintains a ARL table for each VLAN that is under use. For example, if a L2 switch has members from two VLANs, then it maintains two ARL tables. The forwarding decision of frames belonging to a specific VLAN are taken by referring to the ARL table belonging to that specific VLAN. Within each VLAN ARL table, the learning, forwarding and time-out mechanisms remain similar to that of a normal L2 Switch.
A VLAN aware L2 switch needs to have the additional capability of flooding only to members of a specific VLAN and also implement the logic required for VLAN tagging in trunk ports.

Role of a L3 Router in a VLAN Network

While a VLAN aware L2 switch can forward frames from end nodes belonging to the same VLAN, it cannot forward traffic that needs to be sent from members belonging to different VLANs.  A L3 Router is required for this purpose.
Since a VLAN is a logical network by itself, each VLAN network is considered as a separate L3 Subnet and hence has a different L3 Subnet Address. Members belonging to different VLANs therefore need to have IP addresses belonging to different IP Subnets.
In summary, a L2 Switch is used for forwarding frames at layer 2 within a VLAN.  A L3 Router is used for sending inter-VLAN traffic. A L3 Router basically connects to multiple VLANs and routes traffic at L3 between these VLAN networks. While Intra-VLAN traffic is L2 Switched, inter-VLAN traffic is L3 Routed.

VLAN Configuration Methods

Since end nodes do not send VLAN tagged frames (tagging is used only on trunk ports by L2 Switches and L3 Routers), there has to be a method that enables a VLAN aware Switch/Router to identify the VLAN of each of its port. This is done by configuration of the Switch or Router based on three methods, namely port based or MAC address based or IP address based configuration.

In port based VLANs, each port of the L2 switch is configured with a specific VLAN ID. Typically, multiple ports would have the same VLAN ID (all members of a specific VLAN). For example, ports 1 to 4 could be configured to belong to VLAN ID 1 and ports 5 to 8 could be configured to belong to VLAN ID 2.
 In MAC based VLAN, the L2 Switch is configured with  MAC address-VLAN ID pair combinations, so that the L2 switch decides the VLAN of a frame based on this mapping and the source MAC address of the incoming frame.
In IP address based classification, the L2 switch identifies the VLAN ID of an incoming frame using the IP address present in the L3 header. In this case, the L2 Switch is configured with IP Subnet ID – VLAN ID pair combinations.

3 comments for “Overview of VLAN and its basic theory of operation

  1. JOB
    February 20, 2015 at 22:08

    In the third diagram titled “VLAN Access and Trunk Ports” a frame is sent from a node in VLAN1 to a node in VLAN2. I know this is just an example, but in the subsequent paragraph on L3 switches, inter-VLAN traffic requires an L3 switch – so in reality, node EN7 could not send a frame to node EN14 because they are in separate VLANs and there are only LS2 switches used. Or did I misunderstand something?

    • February 23, 2015 at 23:05

      Hi,
      After reading your question, I reread the article and found that there was a typo in the article. A frame is being actually sent from EN7 to EN11 (both are part of VLAN2) via. the trunk port and not from EN7 to EN14. Error is regretted. I have also updated the diagram accordingly. So to clarify your doubt, the trunk port of an L2 switch can carry frames belonging to multiple VLAN but can never forward frames between different VLANs. So the L2 switch would never be able to forward a frame sent from EN7 to EN14. Such a frame would have to be Inter-VLAN Routed via. a L3 Router.

      Badri.

  2. vijaykumar
    August 2, 2015 at 23:04

    nice quoted article on vlan…Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Current ye@r *