VLAN Configuration by Examples
Break Yang February 11, 2023 #vlan #networking #switch #homelabWhy am I writing this?
As I worked on upgrading my home network with a NixOS router, I found myself once again needing to update the VLAN configuration on my Aruba Instant On 1930 PoE switch. However, I felt hesitant to do so due to my previous struggles in grasping the concept of VLAN despite reading multiple online articles.
Fortunately, my friend Hao recommended an informative post on the topic which, combined with an hour of experimentation, finally allowed me to understand VLAN sufficiently to implement my ideas. In this post, I aim to share my newfound practical knowledge with examples, hoping to assist others who may have encountered similar difficulties.
Disclaimer: Not being a network engineer, my understanding and explanation of VLANs are based on a simplified mental model. While I believe that this model is both easy to understand and accurate enough for practical use, it may not encompass all technical intricacies and complexities of the concept.
Example 1: An Unmanaged Switch
A switch, specifically a Layer 2 (L2) switch, is a networking device with several physical ports, each typically featuring an RJ45 or SFF Ethernet interface. Every port is capable of connecting to a single device and the switch operates on L2 using MAC addresses.
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
For example, if you connect devices A, B, C, and D to ports 1, 2, 3, and
4 of an unmanaged switch (see above), the devices will be interconnected. Device
A and B can send packets to each other, as if they were directly connected with
an Ethernet cable.
When A sends a packet to port 1, it enters the switch, and when the packet
reaches B via port 2, it leaves the switch. In this post, the statement
"A and B can send packets to each other" means that the packet is not
dropped upon entering the switch via port 1 or upon leaving the switch via port
2 VLAN rules.
Tagged Packet and Untagged Packet
A packet can be tagged with a VLAN ID, which is just an integer. A packet that has a VLAN ID is called a "tagged packet", and a packet that does not have a VLAN ID is called an "untagged packet".
Example 2: Managed Switch with Single VLAN
In this example, let's assume there is only one VLAN ID 10, and a packet can
either be tagged with VLAN 10 or untagged.
In a managed switch, each physical port can be configured as "Tagged" (T),
"Untagged" (U), or "Not Participating" (blank) with respect to VLAN 10. By
changing the interconnectivity of the ports for a specific VLAN, we can form a
virtual switch for that VLAN. Consider the example below:
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | T | U | U | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
Here, ports 1, 2, and 3 form a virtual switch for VLAN 10, with port 1 being
"Tagged" for VLAN 10, and ports 2 and 3 being "Untagged" for VLAN 10. We can
temporarily ignore the other ports, as they are not participating in the virtual
switch for VLAN 10.
The rules for the virtual switch are straightforward. We only need to consider the behavior of the packet when it enters and leaves the virtual switch.
- If a physical port is "Tagged" for VLAN 10:
- It only allows packets tagged with VLAN 10 to enter.
- When a packet leaves this port, it will be tagged with VLAN 10.
- If a physical port is "Untagged" for VLAN 10:
- It only allows untagged packets to enter.
- When a packet leaves this port, it will be untagged, regardless of whether it was tagged with VLAN 10 before.
With these rules in mind, we can understand the behavior of the packet in different scenarios. For example:
- If device
Asends an untagged packet to port 1, it will be dropped because port 1 is a tagged port forVLAN 10and only accepts packets tagged withVLAN 10. - If device
Asends a packet tagged withVLAN 10to port 1, the packet will enter the switch and reach devicesBandCvia ports 2 and 3 as untagged packets. The tagVLAN 10will be stripped when the packet leaves ports 2 and 3 because they are untagged ports. - If device
Bsends an untagged packet to port 2, it will be accepted and delivered to deviceAas a packet tagged withVLAN 10, and to deviceCas an untagged packet. - If device
Csends a packet tagged withVLAN 10to port 3, it will be dropped because port 3 only accepts untagged packets.
Example 3: Managed Switch with 2 VLANs
Things become more interesting when there are multiple VLANs. This is also the reason why people create VLANs: to form many virtual (logical) switches out of a single physical switch device. The seemingly complicated rules are also not created for dropping packets. They are here to give the devices options to choose which virtual switch it want a packet to be sent to.
In this example, let's consider a switch that is configured to form two virtual
switches, one for VLAN 10 and one for VLAN 20.
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | T | U | U | | | | | |
+---+---+---+---+---+---+---+---+
VLAN 20 | | | T | U | | | | |
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
We can treat the switch as two separate virtual switches: the virtual switch for
VLAN 10 consists of ports 1, 2, and 3, and the virtual switch for VLAN 20
consists of ports 3 and 4. Devices A and B are both only connected to the
virtual switch for VLAN 10, and can only communicate with each other and with
other devices on that same virtual switch. Device D is only connected to the
virtual switch for VLAN 20, and can only communicate with other devices on
that virtual switch. Device C is connected to both virtual switches through a
shared physical port, port 3.
When each device sends packets, it can now decide which virtual switch to send them to by tagging the packets accordingly. Once a packet enters a virtual switch, the rules that control how it leaves the switch remain the same.
- Device
Acan only send packets to the virtual switch forVLAN 10, since that is the only virtual switch that port 1 participates. In order to send packets to the virtual switch forVLAN 10, deviceAmust tag the packets withVLAN 10, since port 1 is a "tagged" port for that virtual switch. - Similarly, device
Bcan only send packets to the virtual switch forVLAN 10, but since port 2 is an "untagged" port for that virtual switch, deviceBmust send untagged packets to that virtual switch. Any other types of packets sent from device B will be dropped. - Similarly, device
Dcan only send packets to the virtual switch forVLAN 20, and the packets must be untagged to avoid being dropped. - Device
Ccan choose to send packets to either virtual switch by tagging the packets appropriately. Specifically, it can send untagged packets to the virtual switch forVLAN 10, or packets tagged withVLAN 20to the virtual switch forVLAN 20. Any other types of packets sent from deviceCwill be dropped.
Example 4: Sharing Two Physical Ports
Now, let's put what we've learned into practice! Consider the following slightly different example below:
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | T | U | U | T | | | | |
+---+---+---+---+---+---+---+---+
VLAN 20 | | | T | U | | | | |
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
Question: If device C want to send a packet to device D, what can it do?
Device C is connected to port 1 and device D is connected to port 4. Both
port 3 and 4 participates in both virtual switches. This means that device C
has two choices:
- Device
Ccan send an untagged packet to deviceDvia the virtual switch forVLAN 10. This is possible because port 4 is also a member of the virtual switch forVLAN 10. However, deviceDwill actually receive the packet tagged withVLAN 10, because port 4 is "tagged" forVLAN 10. - Alternatively, device
Ccan send a packet tagged withVLAN 20to deviceDvia the virtual switch forVLAN 20. However, deviceDwill actually receive the packet untagged, because port 4 is "untagged" for VLAN 20.
In this way, device C has the flexibility to decide not only which virtual
switch to use but also how the packet should be tagged upon reaching device D.
One Extra Rule: Each Physical Port Can Only Be "Untagged" Once
The following configuration is invalid as port 3 is untagged for both VLAN 10 and VLAN 20. Why?
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | T | U | U | | | | | |
+---+---+---+---+---+---+---+---+
VLAN 20 | | | U | U | | | | |
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
Because packets are not allowed to be duplicated and sent to multiple virtual
switches. Consider the case when device C sends an untagged packet to port 3.
It is undecideable whether it should go into the switch for VLAN 10 or the
switch for VLAN 20.
Therefore, a configuration where a physical port participates in multiple virtual switches as an untagged port is not valid.
Final Example: Designing an One Armed Router
A common use case for VLANs is when you need to use a computer with a single ethernet port as your router. Normally, a router should have at least two ports, one for the uplink (the modem that your ISP provides) and one for the downlink (the rest of your home devices, usually via a switch). In this example, we'll assume you want to connect two devices: a WiFi access point and a PC.
Normally a router should have at least two ports: one for connecting the uplink (i.e. the modem that your ISP gives you) and the downlink (the rest of your home devices, usually via a switch). In this example, let's say we want to connect two home devices: A WiFi AP and a PC.
To do this, you will need two switches and four ports. We can use VLAN 10 to
connect the router and the uplink modem, and VLAN 20 to connect the router,
WiFi AP, and PC.
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | U | T | | | | | | |
+---+---+---+---+---+---+---+---+
VLAN 20 | | T | U | U | | | | |
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
Modem | | |
| | |
Router| PC
|
WiFi AP
With this configuration, you can use the PC and WiFi AP simultaneously without needing a multi-port router.
Bonus Example: Adding Multiple WiFi Networks with A Single WiFi AP
In my case, I also need to set up 3 separate WiFi networks for personal devices, IoT devices (i.e. smart home stuff) and for guests on a single WiFi AP. By using VLANs to separate the personal, IoT, and guest networks, we can ensure that devices on each network are isolated from each other, providing an extra layer of security for our home network.
Fortunately my WiFi
AP
supports VLAN tagging so that I can create VLAN 30 and VLAN 40 for the IoT
devices and guest network. This also means adding two more virtual switches to
connect the router and the WiFi AP.
A revised diagram is shown below.
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | U | T | | | | | | | (Uplink)
+---+---+---+---+---+---+---+---+
VLAN 20 | | T | U | U | | | | | (Personal Network)
+---+---+---+---+---+---+---+---+
VLAN 30 | | T | T | | | | | | (IoT Network)
+---+---+---+---+---+---+---+---+
VLAN 40 | | T | T | | | | | | (Guest Network)
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
Modem | | |
| | |
Router| PC
|
WiFi AP
Thank you for reading and hope this post helps you!
Acknowledgement
Special thanks to ChatGPT, an AI language model trained by OpenAI, for helping me revise and improve this post.