The objective of this article is to explain how to divide a physical network into several separate logical networks with Virtual Local Area Networks (VLANs). We will also describe the benefits of breaking a broadcast domain and adding more security to the network.
What is VLAN
Virtual LANs (VLANs) allow a single LAN to be partitioned into several separate LANs. An identifier (TAG) is assigned to every virtual LAN. When a packets wants to go from one segment to another, it can do so only if both of the segments are assigned with the same identifier (TAG).
This will result in limiting the number of clients in each VLAN who are capable of receiving broadcast packets. VLANs provide the amazing possibility to manipulate the logical design of the topology without replacing any wires or changing addresses.
A network administrator needs to only change the config or assign one client to another VLAN (actually other broadcast domain).
How does a VLAN work?
Configuring a VLAN can be accomplished by assigning a number in Data link layer. As you know, in Data link layer, the physical address of source and destination station is added to the packet. If you configure VLAN in the network, data link layer adds VLAN number to the frame during the encapsulation phase.
In case there’s no VLAN in a network, by default, all ports will reside in VLAN one which is the default VLAN number on most switches.
The VLAN number is assigned from a range of 1 to 4096. If you have a Cisco switch, remember that VLAN number 1 is always reserved for the default VLAN. This VLAN can be used but you won’t be able to delete it. Also, VLANs 1002-1005 are also reserved for token ring networks. You cannot delete these VLANs numbers too.
Normal and extended VLAN-ID
There are two protocols to add VLAN numbers in the data link layer. Inter-switch link (ISL) is one of two possible protocols for Ethernet which is not used now. This Standard just works in Cisco devices and other vendors cannot use it.
Later IEEE organization has created a standard protocol for adding VLAN number to Ethernet frame. This protocol is 802.1Q and all of the switches use this standard in layer 2 encapsulation. VLAN numbers 1 to 4094 can be used for user traffic in the catalyst/Cisco switches. Before, the VLAN-id was shorter and usable VLAN numbers was limited to 1 to 1001.
After publication of 802.1Q standard, Cisco started supporting for VLANs. For a long time, there was a limitation with extended VLANs 1006-4094. They could not be created and propagated by Cisco VLAN Trunking Protocol (VTP). In order to create a VLAN in extended range, the administrator had to configure the switch for VTP transparent mode.
Access and Trunk port
A layer 2 port on a switch is either an Access port or Trunk port. Access port is assigned only to a single VLAN and it cannot carry traffic between two VLANs.
But a Trunk port is by default a member of all the VLANs that exist on the switch so they can send traffic to all the VLANs between the switches.
Following video shows you how to configure VLAN in practice.