VLAN - Virtual LAN

A VLAN or Virtual LAN is a method of dividing a physical Ethernet switch into separate physical and logical networks. On the physical side, instead of one Ethernet switch, it appears as if you have multiple physical Ethernet switches. Multiple Ethernet switches give the advantage as discussed in the SOHO network. The best part is that VLAN'ing a switch is a software programmed process that is configured through the switch user's interface. You decide how you want to divide your switch into virtual switches or VLANs.

VoIP and VLANs Video

Physical VLAN'd Switch

On the logical side, each VLAN has its own network address (ex. VLAN 1 = 192.168.1.0/24, VLAN 2 = 192.168.2.0/24, etc..). This further isolates the VLAN traffic and provides better traffic management. Why is this an advantage? It isolates the "behind the scenes" traffic that is part of the network support protocol's overhead not directly involved with transferring data. This is the traffic that is part of the "broadcast domain" - the traffic that is created by discovery services such as ARP, DHCP or routing protocols as examples. This behind the scenes traffic can consume quite a portion of your available bandwidth - up to 35%! When the network is divided into VLANs, the broadcast domain (range of broadcast traffic) is restricted to each VLAN. This reduces the amount of broadcast per individual VLAN drastically.

Logical VLAN'd Switch

Advantages to VLAN'ing your network

There are very good reasons to VLAN your network:

  • Bandwidth - reduces network traffic to only what is needed on the VLAN.
  • Security - separate LAN into segments based on security. Only those with the necessary security can access the VLAN.
  • Segment LAN - separate the LAN into segments by department or user group rather than by physical location.
  • QoS - separate voice traffic from data as a first step in providing QoS for VoIP. This is the big one for our purposes.
  • VLANs spread across many switches - In larger networks, you can spread the VLANs across many switches. You use the same physical infrastructure but now have multiple virtual networks. It makes it very flexible to setup a network exactly how you want to segment it. This is the real selling point for large networks.

VLAN Basics

When a switch with VLAN capabilities turns on for the first time, all ports belong to the default VLAN ID 1. This is so that when you turn on a switch, all the ports work by default. VLANs are identified by numbers and called VLAN IDs and the first VLAN is numbered 1. Theoretically, you can have up to 256 VLAN IDs on a single switch or more but practically the maximum used is much less at around 6 to 10 for a small network.

Naming VLANs

Remembering which VLAN ID is assigned to which purpose is difficult and confusing. The solution is to provide names to the VLAN IDs. This way you can identify the VLAN by its name, for example, Floor10, Accounting, Voice, Data, Engineering, ServerNet, etc.. Just a note: there are no rules as to the numbering of VLAN IDs and naming as long as they follow the correct syntax for your switch. You can use any VLAN ID for any name - it's up to you.

Port Assignment

The physical Ethernet ports of the switch are assigned to the VLAN IDs. The switch will have specific configuration commands through a command line interface (CLI) or web GUI. You can assign multiple ports or a single port to a VLAN. Some switch manufacturers look at it differently and say that you are assigning "VLANs to the port" instead of "ports to a VLAN". Either way, the end result is the same, there is a port to VLAN assignment.

Important Concept: Only those ports on the same VLAN can talk to each other. The ports are isolated from all other VLANs!

Network Addresses

Each VLAN will have its own network address. VLAN 20 will belong to and have a different network address than VLAN 30. There is a convention (not a rule but a best practice) that the network address corresponds to the VLAN ID. For example, VLAN 10 (Desktop) uses network address 192.168.10.0/24 and VLAN 30 (VoIP) uses network address 192.168.30.0/24. The purpose is to make it easier to troubleshoot the network and to easily determine which VLAN and network, a device belongs to. As networks grow and the number of VLANs increase, following this rule of thumb will simplify network management.

VLAN'd Network

Switch VLAN Configuration

There is no standard VLAN configuration method for Ethernet switches. Each switch manufacturer uses their own configuration commands either through a web GUI or command line. The config examples will use the Cisco command line just because I'm familiar with Cisco switches. Regardless, all follow the same basic process:

  1. Create the VLAN ID - In configuration mode, type "vlan 10" to create a vlan with ID 10.

    vlan 10

  2. Name the VLAN - Give VLAN 10 the name Desktop, type "name Desktop".

    name Desktop

  3. Assign ports to the VLAN - Configure one port or a range of ports:

    interface range fa0/1 - 8
    switchport mode access
    switchport access vlan 10

View the VLAN configuration

Again because there is no standard, we'll use Cisco. In User Exec mode (type "end" to get there), type "show vlan". It will show the new VLAN and the ports now assigned to it.

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig1/1, Gig1/2
10   Desktop                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8

What about Unassigned Ethernet Ports?

Ports that haven't been manually assigned to an Ethernet port remain part of VLAN 1. Usually best practices require that unused Ethernet ports be "shut down" for physical security reasons. That way no one can accidentally or intentionally (as in hacking) access a VLAN that the Administrator does not want them to access.

How do you access between VLANs?

From the information provided so far, you can't. Each VLAN is its own network with its own network address. In order to access one VLAN from another you need to access between networks. This requires a different device: a router or a layer 3 switch. A layer 3 switch can only route between Ethernet networks. It can't route across a WAN protocols and it is limited in the higher level routing protocols at this time. Routing between VLANs is further covered in the Routing webpage.

Dot1Q Trunks

Normally an Ethernet port on a switch can only be assigned to one VLAN but there are special circumstances where a port can be configured to use more than one VLAN. The first use is a IEEE802.1Q trunk (often referred to as dot1q for short). This trunk is only used to connect switch to switch and switch to router to allow VLAN traffic to pass. IEEE802.1Q is a standard created by the IEEE to pass many VLANs between switches.

Switch to Switch Dot1Q Trunk

In the switch to switch example, you may have VLANs spanning across two or more switches. The trunk allows two or more VLANs to pass through this special port. Dot1Q trunking is covered further in Business Networks. In the switch to router example, a router is connected to a switch to provide routing services between the VLANs. An easy to remember nickname for this configuration is "Router on a Stick" which is further covered in the Routing webpage.

Multi-VLAN Ports

A second circumstance is when a VoIP phone is connected to a switch. Inside a VoIP phone is a 3 port Ethernet switch. The LAN port is connected to the Ethernet switch port that has two VLANs assigned to it: VLAN 30 VoIP (voice) and VLAN 10 Desktop (data). There is an internal port that is connected to the IP phone on the VoIP VLAN and a third physical port that is used for connecting to a PC on the Desktop VLAN. This reduces the requirement of running separate Ethernet cables for voice and data to each user's desk.

VoIP Multi-VLAN Port

Create a Multi-VLAN Port

This is an example of creating a multi-VLAN port for a VoIP phone on a Cisco switch. There is an additional line from a normal VLAN configuration that identifies the voice vlan.

interface fa0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 30

Note that the IP phone is on a different network (192.168.30.0/24) then the desktop PC (192.168.10.0/24). The IP phone's internal Ethernet switch must be configured either manually through the phone's web GUI or through the server's tftp configuration files in order to know which VLAN is the voice VLAN.

If this page has helped you, please consider donating $1.00 to support the cost of hosting this site, thanks.

Return to

TelecomWorld 101

Copyright July 2013 Eugene Blanchard