Why Do We Need VLAN?
Early Ethernet allows data communication over shared media through Carrier Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a large number of hosts, collision becomes a serious problem and can lead to broadcast storms. This degrades network performance or even causes a complete breakdown. Using Layer 2 devices to connect LANs can restrict data transmission within a LAN. However, this resolves only the conflicts.
This is where VLAN technology comes in. VLAN technology allows a physical LAN to be divided into multiple logical LANs (multiple VLANs). Each VLAN functions as a separate broadcast domain, with hosts in the same VLAN able to directly communicate with one another, while those in different VLANs cannot. As a result, broadcast packets are confined within a single VLAN. The following figure shows an example.
Functions of a VLAN
VLAN technology offers the following benefits:
- Confines each broadcast domain to a single VLAN. This conserves bandwidth and improves network processing capabilities.
- Enhances LAN security. Frames in different VLANs are separately transmitted, so that hosts in a VLAN cannot directly communicate with those in another VLAN.
- Improves network robustness. A fault in one VLAN does not affect hosts in another VLAN.
- Allows for flexible virtual groups. VLAN technology allows hosts in different geographical locations to be added to different groups, simplifying network construction and maintenance.
VLAN vs Subnet
A network can be divided into multiple subnets to conserve IP address space and support flexible IP addressing.
Similar to a VLAN, a subnet can also isolate hosts. Hosts in different subnets cannot communicate with each other. The following figure shows the comparison between VLANs and subnets.
VLAN vs subnet
VLAN Tag and VLAN ID
IEEE 802.1Q adds a 4-byte VLAN tag to an Ethernet frame, enabling switches to identify the VLAN to which the received frame belongs.
VLAN-tagged frame format defined in IEEE 802.1Q
The VID field in a data frame identifies the VLAN to which the frame belongs (that is, the VLAN ID). The frame can only be transmitted within this VLAN. This field ranges from 0 to 4095. The values 0 and 4095 are reserved, and therefore available VLAN IDs are in the range from 1 to 4094.
All frames processed in a switch carry VLAN tags, but some devices, such as hosts and servers, connected to a switch cannot process VLAN-tagged frames. To enable communication between the switch and these devices, the switch interfaces must be able to identify whether an Ethernet frame is tagged, and add VLAN tags to or remove VLAN tags from the frames when sending and receiving these frames. When the switch receives an untagged frame, it adds a VLAN tag to the frame according to the default VLAN, that is, Port Default VLAN ID (PVID) of the interface that received the frame.
Interface Types and VLAN Tag Processing
Hosts in the same VLAN may be connected to different switches, and a VLAN can span multiple switches. To enable communication between hosts, interfaces between switches must be able to identify and send VLAN-tagged frames of multiple VLANs. Ethernet interfaces of different types can be configured to satisfy different networking requirements, depending on the objects connected to them and the way they process frames.
Different vendors may define different VLAN interface types. On Huawei devices, Ethernet interfaces are classified into access, trunk, and hybrid interfaces.
An access interface often connects to a terminal (such as a PC or server) that cannot or does not need to identify VLAN tags.
Frames are classified into the following types based on whether they carry VLAN tags:
- Untagged frame: an original frame without a 4-byte VLAN tag
- Tagged frame: a frame with a 4-byte VLAN tag
In most cases, access interfaces accept and send only untagged frames, and tag frames that do not carry a VLAN tag with its Port Default VLAN ID (PVID). Since only tagged frames can be processed in a switch, the default VLANs for access interfaces must be set. After the default VLAN is configured for an access interface, the access interface joins this VLAN and adds the corresponding VLAN tag to received untagged frames.
An access interface accepts VLAN-tagged frames only when they are tagged with a VLAN ID that matches its PVID.
An access interface removes the VLAN tag from a tagged frame before sending the frame out.
A trunk interface often connects to a switch, router, AP, or voice terminal that can accept and send both tagged and untagged frames. It accepts VLAN-tagged frames of multiple VLANs and only sends frames in the default VLAN as untagged.
The default VLAN of a trunk interface is defined as the native VLAN by some vendors. When a trunk interface receives an untagged frame, it adds the native VLAN tag to the frame.
A hybrid interface can connect to a user terminal (such as a host or server) or network device (such as a hub) that cannot identify VLAN tags, and also can connect to a switch, a router, an AP, or a voice terminal that can accept and send tagged and untagged frames. It accepts VLAN-tagged frames of multiple VLANs. Depending on your configuration, frames sent out from a hybrid interface may be tagged or untagged.
Hybrid and trunk interfaces can be interchanged in some scenarios, but hybrid interfaces must be used in specified scenarios, for example, selective QinQ. Before frames from multiple VLANs provided by a service provider enter a user network, the outer VLAN tags must be removed. Trunk interfaces cannot be used here because they allow only frames from their default VLANs to pass through as untagged.
VLAN Application Scenarios
Users can be isolated at Layer 2 using VLANs and can communicate with each other at Layer 3 through VLANIF interfaces.
Inter-VLAN Layer 2 Isolation
In the following figure, there are multiple companies in a building. These companies share network resources to reduce costs. Networks of the companies connect to different interfaces of the same Layer 2 switch and access the Internet through the same egress router.
Networking diagram of interface-based VLAN assignment
To isolate the services of different companies and ensure service security, assign interfaces connected to the company networks to different VLANs. In this way, each company has a virtual router, and each VLAN works as a virtual work group.
In the following figure, a company has two departments assigned with fixed IP network segments. The employees often move between locations, but the company requires that their network resource access rights remain unchanged.
Networking diagram of subnet-based VLAN assignment
To ensure that employees retain access to network resources after changing locations, assign VLANs based on subnets on Switch_1. In this case, servers on different subnets are assigned to different VLANs to isolate data flows for accessing application services on the servers, improving security.
Inter-VLAN Layer 3 Communication
In the following figure, departments 1 and 2 of a small-scale company belong to VLAN 2 and VLAN 3, respectively, and connect to a Layer 3 switch (Switch_3) through Layer 2 switches. Packets exchanged between the two departments need to pass through the Layer 3 switch.
Inter-VLAN Layer 3 communication through VLANIF interfaces
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently transmit VLAN frames to Switch_3, and configure a VLANIF interface for each VLAN on Switch_3 to allow communication between VLAN 2 and VLAN 3.
IEEE 802.1Q, often referred to as Dot1q, defines the VLAN implementation standard for Virtual Bridged Local Area Networks. Compared with a standard Ethernet frame, a VLAN-tagged frame has an extra 4-byte VLAN tag.
Link-type Negotiation Protocol (LNP) is used to dynamically negotiate the link type of an Ethernet interface. The negotiated link type can be access or trunk.
- When the link type on an Ethernet interface is negotiated as access, the interface joins VLAN 1 by default.
- When the link type on an Ethernet interface is negotiated as trunk, the interface joins VLANs 1 to 4094 by default.
The 802.1Q-in-802.1Q (QinQ) protocol is known as an amendment to the IEEE 802.1ad protocol. It expands VLAN space by adding an additional 802.1Q tag to 802.1Q-tagged packets, and allows packets in a private VLAN to be transparently transmitted over a public network.
A packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and a private VLAN tag.
What Are Disadvantages of VLAN in Cloud-based Scenarios
Cloud computing, relying on its high system utilization rate, low manpower and management costs, and flexible and expandable performance advantages, has already become the current new form of enterprise IT construction. As a core technology of cloud computing, server virtualization has a wide range of applications.
VLAN is a traditional network isolation technology. In accordance with standards, a maximum of about 4096 VLANs are available, which cannot meet the tenant isolation requirements of large data centers. In addition, each VLAN is a small and fixed Layer 2 domain, and as such is not suitable for large-scale dynamic virtual machine (VM) migration.
To solve this problem, Virtual eXtensible Local Area Network (VXLAN) was introduced. Defined in RFC, VXLAN is a Network Virtualization over Layer 3 (NVO3) technology that uses MAC-in-User Datagram Protocol (MAC-in-UDP) encapsulation. VXLAN overcomes the preceding disadvantages of VLAN. VXLAN uses the 24-bit VXLAN Network Identifier (VNI) field to identify up to 16 million tenants, compared to a maximum of 4096 tenants in VLAN. VXLAN establishes a virtual tunnel between two switches across the basic IP network of the data center and virtualizes the data center network into a large Layer 2 virtual switch to meet the requirements of large-scale dynamic VM migration.
VLANs are used to divide a physical LAN into multiple broadcast domains to isolate services with the aim of improving the security and management of the network. Hosts within a VLAN can directly communicate only with other hosts in the same VLAN and must use a router to communicate with hosts in other VLANs.What is a virtual LAN VLAN )? What is its purpose? ›
A virtual LAN (VLAN) is a logical overlay network that groups together a subset of devices that share a physical LAN, isolating the traffic for each group. A LAN is a group of computers or other devices in the same place -- e.g., the same building or campus -- that share the same physical network.What are the advantages of VLAN in Huawei? ›
VLAN technology offers the following benefits: Confines each broadcast domain to a single VLAN. This conserves bandwidth and improves network processing capabilities. Enhances LAN security.What is the reserved VLAN for Huawei? ›
By default, the range of reserved VLANs is from 4064 to 4094. Among the reserved VLANs, VLANs 4064 to 4071 are used for port mirroring, and VLAN 4095 is used by the system to forward packets inside a device.What is the default VLAN on Huawei switch? ›
By default, the default VLAN configuration of an interface is as follows: Access: The default VLAN is VLAN 1, and an access interface joins VLAN 1 in untagged mode. Trunk: The default VLAN is VLAN 1, and a trunk interface joins VLAN 1 to VLAN 4094 in tagged mode. That is, a trunk interface allows all VLANs.What are 3 reasons to use a VLAN in a network? ›
- It helps you to improve network security.
- It makes networks easier to manage by reducing the number of devices used.
- VLANs reduce the size of broadcasts and solve a problem with broadcast traffic.
- It helps you to improve your performance.
- VLAN removes the network boundaries.
VPNs and VLANs are different technologies with some similarities. VPNs connect authorized users to corporate network resources, while VLANs connect geographically separate devices. The technology answers to most remote work and education requirements have one word in common: virtual.What is the disadvantage of VLAN? ›
Disadvantages of VLANs
Additionally, VLANs may not be compatible with some legacy devices or applications that do not support VLAN tagging or encapsulation. Furthermore, they may cause problems with some network services or protocols that rely on physical addresses or broadcast domains.
A VLAN allows you to segment a network without needing separate hardware. So, you can have a single physical switch, but multiple different networks connected. You can group computers, servers, or other resources into a network based on department or user type. It doesn't have to be based entirely on physical location.What is VLAN and its disadvantages? ›
The primary advantage of VLAN is that it reduces the size of broadcast domains. The drawback of VLAN is that an injected packet may lead to a cyber-attack. VLAN is used when you have 200+ devices on your LAN.
Log in to the device through the web system. Open the web browser on the PC, enter https://192.168.1.253 in the address bar, press Enter, and then the web system login page is displayed, as shown in Figure 2-1. Enter the default user name and default password, and select the language of the web system.Does the VLAN number matter? ›
What is the best way to id them? Technically, vlan number does not matter much.Should you use default VLAN? ›
The Vlan1 itself is not insecure, even many still occupy it. The insecure thing is that everyone knows that it is the Vlan by default. And as already mentioned, you can be a victim of attacks by this vulnerability. Therefore it is recommended not to use it to switching/routing end devices.Should IP phones separate VLAN? ›
Putting VoIP on its own VLAN lets you give it highest priority in the network, while allowing more fault-tolerant data processes to take the back seat. Likewise, your Quality-of-Service and Voice Quality Monitoring services will be able to do a more effective job, and usually with less overhead on the server.What are the two types of VLAN access ports? ›
VLAN-enabled ports are generally categorized in one of two ways, tagged or untagged. These may also be referred to as "trunk" or "access" respectively. The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port accepts traffic for only a single VLAN.What is IP link in Huawei? ›
IP-link automatically checks the status of service links. It can detect the status of the links indirectly connected to a firewall for service continuity. When multiple IP-links are configured on a firewall, the IP-links send link detection packets concurrently. As a result, the CPU usage increases dramatically.Why do I need a VLAN? ›
At its simplest, VLANs enable you to transform one physical Local Area Network into multiple, isolated, logical Local Area Networks. VLANs give you multiple LANs with different purposes and intents that are co-located physically, without the expense of additional hardware and cabling.Why is VLAN more secure? ›
By separating users, VLANs help improve security because users can access only the networks that apply to their roles. In addition, if outside attackers access one VLAN, they will be contained to that network.What is the primary reason to build a virtual local area network VLAN )? ›
VLANs allow network administrators to automatically limit access to a specified group of users by dividing workstations into different isolated LAN segments. When users move their workstations, administrators don't need to reconfigure the network or change VLAN groups.Is A VLAN A router or a switch? ›
VLANs work on switches whereas to implement subnets you need a router. A routed network is more difficult to setup than a switched network. However a routed network does create separate broadcast domains while a switched network doesn't unles you use VLANs.
[Wireless Router] What is VLAN and how to setup? A VLAN (Virtual Local Area Network) is a logical network that is created within a larger physical network. VLANs allow you to segment a network into smaller, virtual sub-networks, which can be used to isolate traffic and improve network performance.What is the main function of Virtual Local Area Network VLAN spanning? ›
VLANs can help manage broadcast traffic by forming multiple broadcast domains. Breaking up a large network into smaller independent segments reduces the amount of broadcast traffic each network device and network segment has to bear.What are the different types of virtual LAN VLAN? ›
- Management VLAN.
- Data VLAN.
- Voice VLAN.
- Default VLAN.
- Native VLAN.
VLAN tags are used to provide high priority to voice packets. Using a VLAN for VoIP also prevents VoIP devices from competing with other traffic on the network, helping to avoid delays in delivering voice packets. A VoIP VLAN also makes it easier to troubleshoot VoIP issues since the VoIP traffic is isolated.