Layer 2 VLAN

By
Sameer Ali
© 2011 IP Infusion Inc. All rights reserved.
Outline

 VLAN Introduction

 VLAN Benefits

 VLAN Operation

 VLAN Membership Types

 Types Of Connections

 VLAN Trunking/Tagging (802.1Q)

 VLAN Examples
© 2011 IP Infusion Inc. All rights reserved.
VLAN Introduction

 A logical subgroup within a LAN that is created via

software rather than manually moving cables in the
wiring closet.

 Segments LAN into two or more “virtual” LANs with

separate broadcast domains

 VLANs function at layer 2. Since their purpose is to

isolate traffic within the VLAN, in order to bridge from
one VLAN to another, a router is required.

© 2011 IP Infusion Inc. All rights reserved.

VLAN Benefits

 Broadcast Control
· Without VLANs – No Broadcast Control

· Without VLANs, the ARP Request would be seen by all hosts.

· Again, consuming unnecessary network bandwidth and host
processing cycles.
© 2011 IP Infusion Inc. All rights reserved.
VLAN Benefits

· With VLANs – Broadcast Control

· Data will only travel within the VLAN

© 2011 IP Infusion Inc. All rights reserved.

VLAN Benefits

 Performance
· VLANs can reduce sending traffic to unnecessary destinations
 Formation of Virtual Groups
· VLANs can be used to create user groups
 Security
· Achieve higher security: now a host cannot snoop on the traffic
of another group of hosts.
 Simplified Administration
· Network can be easily managed due to reduced size.
 Reduced Cost
· VLANs can be used to create broadcast domains which can
eliminate cost of expensive routers

© 2011 IP Infusion Inc. All rights reserved.

VLAN Operation

 Each switch port can be assigned to a different VLAN.

 Ports assigned to the same VLAN share broadcasts.

 When a LAN bridge receives data from a workstation, it

tags the data with a VLAN identifier indicating the VLAN
from which the data came. This is called explicit tagging.

 It is also possible to determine to which VLAN the data

received belongs using implicit tagging. Implicit tagging
enables a packet to belong to a VLAN based on the
Media Access Control (MAC) address, protocol, the
receiving port of a switch, or another parameter into
which nodes can be logically grouped. © 2011 IP Infusion Inc. All rights reserved.
VLAN Membership Types

 VLAN membership can be defined in several ways:

· Static VLAN (Port-based): Membership in a VLAN can be
defined based on the ports that belong to the VLAN (e.g., ports
1-2,4 belong to VLAN 1 and ports 3 belong to VLAN 3)
Switch

Port VLAN
Port 1 Port 2 Port 3 Port 4 1 1
2 1
3 2
4 1

Host A Host B Host C Host D

© 2011 IP Infusion Inc. All rights reserved.

VLAN Membership Types

· Dynamic VLAN (MAC-based): Membership in a VLAN is based

on the MAC address of the workstation (e.g., 1:1:1:1:1:1 and
2:2:2:2:2:2 belong to VLAN 1 and 3:3:3:3:3:3 and 4:4:4:4:4:4
belong to VLAN 2).
Switch
MAC Address VLAN
1:1:1:1:1:1 1
2:2:2:2:2:2 1
3:3:3:3:3:3 2
4:4:4:4:4:4 2

Host A Host B Host C Host D

1:1:1:1:1:1 2:2:2:2:2:2 3:3:3:3:3:3 4:4:4:4:4:4

Disadvantages:
• VLAN-MAC mapping must be assigned initially.
© 2011 IP Infusion Inc. All rights reserved.
Switch Port Roles

 A host can be connected to a bridge/switch port which

assumes one of these roles:

· Trunk Port

· Access Port

· Hybrid Port

© 2011 IP Infusion Inc. All rights reserved.

Types Of Connections

 Trunk Link
· Attaches two VLAN switches - carries Tagged frames ONLY.

© 2011 IP Infusion Inc. All rights reserved.

Types Of Connections

 Access Links
· Access Links are Untagged for VLAN unaware devices - the
VLAN switch adds Tags to received frames, and removes Tags
when transmitting frames.

© 2011 IP Infusion Inc. All rights reserved.

Types Of Connections

 Hybrid Links
· Hybrid Links - This is a link where both VLAN-aware and VLAN-
unaware devices are attached. All VLAN-unaware devices are
in the same VLAN

© 2011 IP Infusion Inc. All rights reserved.

Trunking/Tagging

 When VLANs span multiple switches, VLAN Tagging is

required.
 Trunking allows switches to pass frames from multiple
VLANs over a single physical connection.
 VLAN Tagging is the practice of inserting a VLAN ID into a
packet header in order to identify which VLAN the packet
belongs to.

© 2011 IP Infusion Inc. All rights reserved.

802.1Q VLAN Tagging

 IEEE 802.1Q VLAN Tagging

· The IEEE 802.1Q specification establishes a standard method
for tagging Ethernet frames with VLAN membership information.
· 4 Bytes inserted after Destination and Source Address
· Tagged Protocol Identifier (TPID) = 2 Bytes (x8100)
· Tagged Control Information (TCI) = 2 Bytes

© 2011 IP Infusion Inc. All rights reserved.

802.1Q VLAN Tagging

 The tagged frame carrying a VLAN identifier of all zeroes is

referred to as a priority tagged frame.

 A priority-tagged frame is treated the same as an untagged

frame from the perspective of a VLAN-aware switch.

© 2011 IP Infusion Inc. All rights reserved.

Examples

 The switch uses the following VLANs:

· ports 1 - 3 of the switch are untagged members of port-based VLAN 2.
· port 4 is a tagged member of VLAN 2
· port 3 - 5 are tagged member of VLAN 3
· Port 6 is untagged member of VLAN 3
· Following MAC-based VLAN mapping is configured on switch
· MAC A: 11.11.11.11.11.11 -> VLAN 3

 This switch implementation also has the following rules:

· MAC-based VLANs take precedence over Port-based VLANs.

© 2011 IP Infusion Inc. All rights reserved.

Examples

 Treatment of packets

· A untagged packet with source MAC not A arrives at port 1

· An untagged packet with source MAC A arrives at port 1

· A tagged packet with VID=2 arrives at port 4

· A tagged packet with VID=10 arrives at port 5

· A untagged packet with source MAC not A arrives at port 6

© 2011 IP Infusion Inc. All rights reserved.

?

Thank You ... Queries !!

© 2011 IP Infusion Inc. All rights reserved.