VLAN Configuration by Examples
Break Yang February 11, 2023 #vlan #networking #switch #homelabWhy am I writing this?
As I worked on upgrading my home network with a NixOS router, I found myself once again needing to update the VLAN configuration on my Aruba Instant On 1930 PoE switch. However, I felt hesitant to do so due to my previous struggles in grasping the concept of VLAN despite reading multiple online articles.
Fortunately, my friend Hao recommended an informative post on the topic which, combined with an hour of experimentation, finally allowed me to understand VLAN sufficiently to implement my ideas. In this post, I aim to share my newfound practical knowledge with examples, hoping to assist others who may have encountered similar difficulties.
Disclaimer: Not being a network engineer, my understanding and explanation of VLANs are based on a simplified mental model. While I believe that this model is both easy to understand and accurate enough for practical use, it may not encompass all technical intricacies and complexities of the concept.
Example 1: An Unmanaged Switch
A switch, specifically a Layer 2 (L2) switch, is a networking device with several physical ports, each typically featuring an RJ45 or SFF Ethernet interface. Every port is capable of connecting to a single device and the switch operates on L2 using MAC addresses.
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
For example, if you connect devices A
, B
, C
, and D
to ports 1, 2, 3, and
4 of an unmanaged switch (see above), the devices will be interconnected. Device
A
and B
can send packets to each other, as if they were directly connected with
an Ethernet cable.
When A
sends a packet to port 1, it enters the switch, and when the packet
reaches B
via port 2, it leaves the switch. In this post, the statement
"A
and B
can send packets to each other" means that the packet is not
dropped upon entering the switch via port 1 or upon leaving the switch via port
2 VLAN rules.
Tagged Packet and Untagged Packet
A packet can be tagged with a VLAN ID, which is just an integer. A packet that has a VLAN ID is called a "tagged packet", and a packet that does not have a VLAN ID is called an "untagged packet".
Example 2: Managed Switch with Single VLAN
In this example, let's assume there is only one VLAN ID 10
, and a packet can
either be tagged with VLAN 10
or untagged.
In a managed switch, each physical port can be configured as "Tagged" (T),
"Untagged" (U), or "Not Participating" (blank) with respect to VLAN 10
. By
changing the interconnectivity of the ports for a specific VLAN, we can form a
virtual switch for that VLAN. Consider the example below:
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | T | U | U | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
Here, ports 1, 2, and 3 form a virtual switch for VLAN 10
, with port 1 being
"Tagged" for VLAN 10
, and ports 2 and 3 being "Untagged" for VLAN 10
. We can
temporarily ignore the other ports, as they are not participating in the virtual
switch for VLAN 10
.
The rules for the virtual switch are straightforward. We only need to consider the behavior of the packet when it enters and leaves the virtual switch.
- If a physical port is "Tagged" for VLAN 10:
- It only allows packets tagged with VLAN 10 to enter.
- When a packet leaves this port, it will be tagged with VLAN 10.
- If a physical port is "Untagged" for VLAN 10:
- It only allows untagged packets to enter.
- When a packet leaves this port, it will be untagged, regardless of whether it was tagged with VLAN 10 before.
With these rules in mind, we can understand the behavior of the packet in different scenarios. For example:
- If device
A
sends an untagged packet to port 1, it will be dropped because port 1 is a tagged port forVLAN 10
and only accepts packets tagged withVLAN 10
. - If device
A
sends a packet tagged withVLAN 10
to port 1, the packet will enter the switch and reach devicesB
andC
via ports 2 and 3 as untagged packets. The tagVLAN 10
will be stripped when the packet leaves ports 2 and 3 because they are untagged ports. - If device
B
sends an untagged packet to port 2, it will be accepted and delivered to deviceA
as a packet tagged withVLAN 10
, and to deviceC
as an untagged packet. - If device
C
sends a packet tagged withVLAN 10
to port 3, it will be dropped because port 3 only accepts untagged packets.
Example 3: Managed Switch with 2 VLANs
Things become more interesting when there are multiple VLANs. This is also the reason why people create VLANs: to form many virtual (logical) switches out of a single physical switch device. The seemingly complicated rules are also not created for dropping packets. They are here to give the devices options to choose which virtual switch it want a packet to be sent to.
In this example, let's consider a switch that is configured to form two virtual
switches, one for VLAN 10
and one for VLAN 20
.
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | T | U | U | | | | | |
+---+---+---+---+---+---+---+---+
VLAN 20 | | | T | U | | | | |
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
We can treat the switch as two separate virtual switches: the virtual switch for
VLAN 10
consists of ports 1, 2, and 3, and the virtual switch for VLAN 20
consists of ports 3 and 4. Devices A
and B
are both only connected to the
virtual switch for VLAN 10, and can only communicate with each other and with
other devices on that same virtual switch. Device D
is only connected to the
virtual switch for VLAN 20
, and can only communicate with other devices on
that virtual switch. Device C
is connected to both virtual switches through a
shared physical port, port 3.
When each device sends packets, it can now decide which virtual switch to send them to by tagging the packets accordingly. Once a packet enters a virtual switch, the rules that control how it leaves the switch remain the same.
- Device
A
can only send packets to the virtual switch forVLAN 10
, since that is the only virtual switch that port 1 participates. In order to send packets to the virtual switch forVLAN 10
, deviceA
must tag the packets withVLAN 10
, since port 1 is a "tagged" port for that virtual switch. - Similarly, device
B
can only send packets to the virtual switch forVLAN 10
, but since port 2 is an "untagged" port for that virtual switch, deviceB
must send untagged packets to that virtual switch. Any other types of packets sent from device B will be dropped. - Similarly, device
D
can only send packets to the virtual switch forVLAN 20
, and the packets must be untagged to avoid being dropped. - Device
C
can choose to send packets to either virtual switch by tagging the packets appropriately. Specifically, it can send untagged packets to the virtual switch forVLAN 10
, or packets tagged withVLAN 20
to the virtual switch forVLAN 20
. Any other types of packets sent from deviceC
will be dropped.
Example 4: Sharing Two Physical Ports
Now, let's put what we've learned into practice! Consider the following slightly different example below:
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | T | U | U | T | | | | |
+---+---+---+---+---+---+---+---+
VLAN 20 | | | T | U | | | | |
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
Question: If device C
want to send a packet to device D
, what can it do?
Device C
is connected to port 1 and device D
is connected to port 4. Both
port 3 and 4 participates in both virtual switches. This means that device C
has two choices:
- Device
C
can send an untagged packet to deviceD
via the virtual switch forVLAN 10
. This is possible because port 4 is also a member of the virtual switch forVLAN 10
. However, deviceD
will actually receive the packet tagged withVLAN 10
, because port 4 is "tagged" forVLAN 10
. - Alternatively, device
C
can send a packet tagged withVLAN 20
to deviceD
via the virtual switch forVLAN 20
. However, deviceD
will actually receive the packet untagged, because port 4 is "untagged" for VLAN 20.
In this way, device C
has the flexibility to decide not only which virtual
switch to use but also how the packet should be tagged upon reaching device D
.
One Extra Rule: Each Physical Port Can Only Be "Untagged" Once
The following configuration is invalid as port 3 is untagged for both VLAN 10
and VLAN 20
. Why?
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | T | U | U | | | | | |
+---+---+---+---+---+---+---+---+
VLAN 20 | | | U | U | | | | |
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
A B C D
Because packets are not allowed to be duplicated and sent to multiple virtual
switches. Consider the case when device C
sends an untagged packet to port 3.
It is undecideable whether it should go into the switch for VLAN 10
or the
switch for VLAN 20
.
Therefore, a configuration where a physical port participates in multiple virtual switches as an untagged port is not valid.
Final Example: Designing an One Armed Router
A common use case for VLANs is when you need to use a computer with a single ethernet port as your router. Normally, a router should have at least two ports, one for the uplink (the modem that your ISP provides) and one for the downlink (the rest of your home devices, usually via a switch). In this example, we'll assume you want to connect two devices: a WiFi access point and a PC.
Normally a router should have at least two ports: one for connecting the uplink (i.e. the modem that your ISP gives you) and the downlink (the rest of your home devices, usually via a switch). In this example, let's say we want to connect two home devices: A WiFi AP and a PC.
To do this, you will need two switches and four ports. We can use VLAN 10
to
connect the router and the uplink modem, and VLAN 20
to connect the router,
WiFi AP, and PC.
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | U | T | | | | | | |
+---+---+---+---+---+---+---+---+
VLAN 20 | | T | U | U | | | | |
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
Modem | | |
| | |
Router| PC
|
WiFi AP
With this configuration, you can use the PC and WiFi AP simultaneously without needing a multi-port router.
Bonus Example: Adding Multiple WiFi Networks with A Single WiFi AP
In my case, I also need to set up 3 separate WiFi networks for personal devices, IoT devices (i.e. smart home stuff) and for guests on a single WiFi AP. By using VLANs to separate the personal, IoT, and guest networks, we can ensure that devices on each network are isolated from each other, providing an extra layer of security for our home network.
Fortunately my WiFi
AP
supports VLAN tagging so that I can create VLAN 30
and VLAN 40
for the IoT
devices and guest network. This also means adding two more virtual switches to
connect the router and the WiFi AP.
A revised diagram is shown below.
Ports
1 2 3 4 5 6 7 8
+---+---+---+---+---+---+---+---+
VLAN 10 | U | T | | | | | | | (Uplink)
+---+---+---+---+---+---+---+---+
VLAN 20 | | T | U | U | | | | | (Personal Network)
+---+---+---+---+---+---+---+---+
VLAN 30 | | T | T | | | | | | (IoT Network)
+---+---+---+---+---+---+---+---+
VLAN 40 | | T | T | | | | | | (Guest Network)
+---+---+---+---+---+---+---+---+
| | | | | | | | |
+-|-+-|-+-|-+-|-+---+---+---+---+
Modem | | |
| | |
Router| PC
|
WiFi AP
Thank you for reading and hope this post helps you!
Acknowledgement
Special thanks to ChatGPT, an AI language model trained by OpenAI, for helping me revise and improve this post.