A practical guide to 802.1Q VLANs
TL;DR;
- VLANs (Virtual Local Area Networks): Logical segments within a physical network, providing isolation and organization.
- 802.1Q: The standard for VLAN tagging, allowing VLANs to coexist on the same physical network.
- Access Ports: Connect to a single VLAN, accepting untagged traffic and assigning it to a specific VLAN.
- Trunk Ports: Carry multiple VLANs, using tags to differentiate traffic from various segments.
- VLAN IDs: Unique identifiers for each VLAN, used to categorize network traffic.
- Native VLAN: The default VLAN for untagged traffic on a trunk port.
Introduction
VLANs (Virtual Local Area Networks) are a fundamental concept in modern networking. They are a feature found in IEEE 802.1Q-compliant devices, such as managed network switches and routers, allowing you to break down a single large physical network into smaller, isolated virtual network segments. By using VLANs, you can create complex network structures, enhance network performance by reducing traffic congestion, and better organize your network segments by department or function (such as internal LAN, guest networks, or lab networks). This segmentation also improves network security by isolating different parts of the network from one another.
Although there are various methods to implement VLANs, such as port-based, MAC-based, or subnet-based VLANs, IEEE 802.1Q remains the most widely accepted standard, providing a robust and scalable approach to VLAN tagging and network segmentation.
In this article, I’ll briefly explain key 802.1Q concepts like access and trunk ports, VLAN tagging, and the underlying logic for building networks with VLANs.
How a VLAN works
VLANs are a Layer 2 feature, meaning they function at the datalink layer of the ISO/OSI stack. This feature works by adding extra information to network frame headers, known as a “VLAN tag.” A VLAN tag is simply a number that helps categorize network traffic. For instance, you could use tag 10 for your internal LAN, tag 20 for the guest Wi-Fi network, and tag 30 for the IoT network. Once traffic is tagged, you can control which switch ports it can or cannot use, effectively breaking a single physical switch into smaller virtual ones. Furthermore, these VLAN tags can also be carried over to other network switches, firewalls, and routers, allowing you to create more complex network structures.
Here’s an example of a straightforward network setup that I’ll reference throughout the article:
In this example, we have a basic setup: a single firewall provides Internet access, with two switches connected to the firewall and to each other, allowing various devices to join the network. There are also four client computers and one server. Let’s say that PC2 and PC4 are our own internal computers (in green), while PC1 and PC3 are guest devices that need Internet access but shouldn’t be able to connect to the server (in red). With this configuration and without physically rewiring the network, there’s no straightforward way to ensure that the guests can only access the Internet and not the server. This is where VLANs come into play. But before diving in, let’s explore some core concepts.
Port configuration
Ports on a managed network switch can operate in two modes: “access” and “trunk.” An access port is connected to a single VLAN ID, allowing access to a specific VLAN. This type of port accepts untagged traffic from connected devices, such as computers, and assigns it the corresponding VLAN ID, effectively placing the device on that virtual network. If traffic with a VLAN tag arrives at an access port, the tag is removed, and the frame is re-assigned the access port’s VLAN ID.
On the other hand, a trunk port can handle traffic from multiple VLANs. It does this by carrying frames tagged with the appropriate VLAN ID, allowing a mix of data from different VLANs to travel across the same physical connection. Trunk ports are typically used to connect switches or link network devices that need to exchange traffic from different VLANs. Any traffic arriving at a trunk port with a tag that isn’t recognized as valid for that port is dropped to ensure network security and stability.
Additionally, a trunk port can be associated with a “native VLAN.” The native VLAN is where untagged traffic is directed. If a frame without a VLAN tag arrives at a trunk port, it is assigned to the native VLAN, ensuring proper routing within the network.
Putting it all together
We now have the basic tools to create VLANs. Let’s apply what we’ve learned and create two virtual networks: one for our internal devices and one for our guests. The first step is to decide which VLAN tags to assign to each network. For this example, we’ll use VLAN 10 for our internal LAN and VLAN 20 for guests.
Next, we need to create these VLANs on our switches and configure corresponding virtual interfaces on the firewall. Assign unique IP addresses and subnets to these interfaces to ensure proper routing. As configuration procedures vary among manufacturers, specific steps won’t be covered in this article.
Additionally, define firewall rules to regulate traffic between these networks. For example, allow traffic from VLAN 10 (internal LAN) to access the Internet, but block access from VLAN 20 (guest network) to internal resources on VLAN 10.
Next, we program our switches:
- Configure ports 1, 8 on Switch 1 and port 8 on Switch 2 as trunk ports and assign them VLAN tags 10 and 20.
- Then we’ll configure port 3, 6 on Switch 1 and port 6 on Switch 2 as access ports for VLAN 10, which will be used by our internal devices.
- Similarly, ports 2 on Switch 1 and port 5 on Switch 2 will be set as access ports for VLAN 20, which will serve our guest network.
In this configuration, PC1 and PC3 are unable to directly access the server, PC2, or PC4 due to being on separate VLANs. Instead of direct communication, their traffic is now routed through the firewall. This allows the firewall to regulate access, ensuring that communication between devices in different VLANs is controlled and potentially restricted based on network policies.
Expanding the network
Let’s now imagine adding a wireless access point (WAP) to our network. We will connect it to Switch 1 and set up two separate SSIDs: “Network” and “Guests.” The goal is to allow devices on the “Network” SSID to communicate with our internal LAN, while devices on the “Guests” SSID should only have Internet access, without any connection to PC1 or PC3.
To accomplish this, we could follow these steps (without detailing specific procedures since, again, they differ among vendors):
- First, we need to create the two SSIDs on the WAP. We should assign a VLAN tag to each of them. Specifically, we’ll assign tag 10 (since it’s already used on our LAN) to “Network” and a new tag 30 to “Guests.”
- We must remember to create tag 30 on Switch 1 and configure one of its ports as a trunk port for VLANs 10 and 30 (let’s say port 7).
- Finally, we need to add our new VLAN 30 to the trunk on port 1 and configure it on the firewall.
Here’s what the network would look like:
There is no need to add VLAN 30 to the existing trunk between Switch 1 and Switch 2 since the “Guests” VLAN doesn’t need to access Switch 2. By managing VLAN trunks thoughtfully, especially in complex setups, we can reduce network traffic between switches, enhancing performance and reducing the risk of collisions. This approach also enhances network security by isolating critical devices and restricting unnecessary access to different network segments.
Conclusion
In conclusion, we’ve explored the fundamental concepts of VLANs and their significance in network segmentation. By dividing a single physical network into isolated virtual segments, VLANs enhance network organization, performance, and security. Through access and trunk ports, VLAN tagging, and trunk configuration, we’ve seen how VLANs easily enable the creation of complex network structures and facilitate efficient traffic management.
I’m planning to set up vlans in my home net. Is there a way to make sure my guests can’t access my main net but still use my printer? Not sure how to configure that
Hey thank you for stopping by. You can go two routes IMHO: either set up a firewall rule allowing guests to access just the printer, or create a dedicated DMZ VLAN for the printer (and other shared devices if you have them), then let both networks connect to that VLAN. Either way you need a firewall to regulate who can go where.
Great explanation of VLANs! Quick question-what happens if I set the same tag on two different networks that aren’t supposed to communicate? Is there a way to prevent that from causing problems?
Short answer: don’t do that! It can introduce problems and security risks that can be very hard to troubleshoot, but I guess if the networks do not share any paths between them it should technically be possibile (although it’s a terrible idea IMHO)