Expired

VLANs (Virtual LANs)

Expired

What is a VLAN?

In the simplest of LAN topologies, you have a single physical network and everything on that LAN can communicate with any other device. In an IP network, on a simple private LAN you have a single IP subnet (e.g. 192.168.1.0/24). In this simple network, all devices are all part of the same physical LAN ('wiring') and logical LAN (IP network).

A Virtual LAN ('VLAN') is a method of segmenting different devices according to their location, function or security clearance.

For example, you may wish to separate departments (sales, accounts, R&D) or separate company traffic/data from guests using WiFi in your premises. The rules set for VLANs can set whether each VLAN can or cannot communicate with any other. A VLAN can also provide additional security by ensuring that physical networks only carry necessary data, perhaps omitting more sensitive data. A VLAN can be physically separated or separated by differential labelling of datagrams.

VLANs vs. Subnets

It's important to remember that a VLAN is not the same as a different subnet (e.g. 192.168.1.0 vs. 10.0.0.0). Subnets provide IP addressing space, or logical departmental or network numbering but do not separate the networks or provide any security. If you just have multiple subnets, any device could have more than one IP address or connect to either subnet as both are available on the same physical network. VLANs and subnets can be used together - each subnet can be within a different VLAN. This is a common application as it makes it easier to keep track of your VLANs.

Types of VLAN

There are two main types of VLAN; port based or tag based. They can be used in combination with each other. VLANs can increase both network efficiency and security.

Port Based VLANs

A port based VLAN is one where the physical ports of an Ethernet switch (such as the one built into your router) are separated so that traffic does not pass between chosen ports.

You can choose which ports can and can't communicate with each other.

For example, if you have one PC plugged directly into each port on your router. All PCs have access to the Internet. You set two VLANS (VLAN0 and VLAN1). The PCs on ports 1,2 & 3 are in VLAN0 and can communicate with each other but not the PCs/devices on the other ports. Ports 5 & 6 are in the other VLAN and cannot communicate with ports 1,2 & 3. Port 4 is set to be in both VLANs so the PC on that port can communicate with all other devices. That is a port based VLAN - the physical port is isolated or common to a group.

In this example, within the setup of the router we have set up two VLANs that are each a member of the Subnet LAN1, operating in the same IP range but separated. VLAN0 has Ethernet ports 1-4 in it, and VLAN1 contains Ports 4-6. See how Port 4 is in both VLANs, so the device (PC) connected to port 4 will be able to communicate with all devices in VLAN0 and VLAN1 but all other devices will be restricted to devices within their own VLAN.

If a port is common to more than one VLAN, your router will allow that port to communicate with the ports in each VLAN that it is a member of.

The VLANs are not able to communicate directly but the device connected to that port, such as a printer, would be accessible by each of the VLANs.

A port doesn't have to connect to a PC directly, it can feed a secondary Ethernet switch; in that case, the switch will inherit the VLAN characteristics and receive only data which is part of that port's VLAN.

Tag Based VLANs

A Tag-based VLAN is one where an identifier label (or 'tag') is added to the Ethernet frame to identify it as belonging to a specific VLAN group. This has the advantage over port based VLAN in that multiple tagged VLANs can be sent over the same physical network/cable and split only once required; making it inherently scalable. The most common protocol for defining VLAN tags is 802.1q. Remember that VLAN tags exist at Layer 2 - not the IP layer so even if you have multiple IP subnets, they can all belong to the same VLAN structures.

In this diagram, we have 3 VLANs (IDs 10, 11 and 12), all of which are available on port 2 of the router. The router connects to a larger switch which in turn splits the VLANs up so that each goes only to specific onward ports on the switch.

The most common distinction between tagged-VLAN data is to separate IP subnets, but they can also be used departmentally or for specific devices or services. Tagged based VLANs provide much more scalability than port-based VLANs. Whether they provide any additional security will depend entirely on your topology.

To make use of tagged VLANs, all networking components must recognise and support VLAN tags. The device, for example, might be a secondary Ethernet switch with 24 ports and is set to split one VLAN to be distributed onto ports 1-12 and another VLAN onto ports 13-24. The device may instead be a wireless access point which supports multiple SSIDs. It takes data with one VLAN tag to serve SSID1, and another VLAN to serve SSID2. That way, the wireless access point is fed by only one Ethernet cable but can serve two completely separated wireless networks.

In the example, we have three VLANs set up and we have given each a unique VLAN tag; that can be anything you like but in our case we have chosen 10, 11 and 12 for VLANs 1,2 and 3 respectively. Vigor 2860 Port 2 is included in VLAN 1,2 and 3 and this means that it is able to send and receive traffic for these VLANs .

A switch such as the VigorSwitch P1280 would then be connected to Vigor 2860 Port 2 and the corresponding port on the switch would also be configured to the same VLAN tags. Other ports on the VigorSwitch P1280 switch can be configured to a VLAN tag to allow a device connected to the port to communicate with the VLAN matching the tag.

In our example VigorSwitch P1280:

  • Ports 3, 4, 5, 6 have a tag of 10 so would be able to communicate with VLAN1.
  • Ports 7, 8, 9, 10 have a tag of 11 so would be in VLAN2 and port 11 and 12 have a tag of 12 to associate them with VLAN3.

The "Permit untagged device in P1 to access router" box is ticked which means that a PC can also be directly connected to the Vigor 2860 port 1 without needing to be configured to be vlan aware and still communicate with the router.

Devices connected directly to ports P3,P4,P5,P6 would need to be VLAN aware.

Combining tags, ports and Wireless SSIDs

DrayTek routers allow you to combine port-based VLANs, tagged VLANs, physical Ethernet ports and wireless SSIDS (for wireless equipped routers), allowing much flexibility. The actual VLAN setup page therefore looks like this:

Devices which do not support tags

Not all networking equipment supports tagged VLANs, so to accommodate those, you can have tagged data and untagged data running on the same network, perhaps physically isolated by port-based VLANs, or your switch can remove the VLAN tag before forwarding the data onto the connected device. A feature of most tag-capable Ethernet switches is that they can add, remove, change or forward VLAN tags.

Note : The capability of any particular product will vary; please refer to specifications of each product for feature support.