Faculty of Information Technology

HANOI UNIVERSITY

CNE – Computer Networks

VLAN configuration and subnetting
I. VLAN (virtual LAN)
What is a VLAN (virtual LAN)?

A virtual LAN (VLAN) is a logical overlay network that groups together a subset of devices that share a physical
LAN, isolating the traffic for each group.

A LAN is a group of computers or other devices in the same place -- e.g., the same building or campus -- that
share the same physical network. A LAN is usually associated with an Ethernet (Layer 2) broadcast domain,
which is the set of network devices an Ethernetbroadcast packet can reach.

Computers on the LAN connect to the same network switch, either directly or through wireless access points
(APs) connected to the same switch. Computers can also connect to one of a set of interconnected switches,
such as a set of access switches that all connect up to a backbone switch. Once traffic crosses a router and
engages Layer 3 (IP-related) functions, it is not considered to be on the same LAN, even if everything stays in the
same building or floor. As a result, a location could have many interconnected LANs.

A VLAN, like the LAN it sits atop, operates at Layer 2 of the network, the Ethernet level. VLANs partition a single
switched network into a set of overlaid virtual networks that can meet different functional and security
requirements. This partitioning avoids the need to have multiple, distinct physical networks for different use
cases.

The purpose of a VLAN

Network engineers use VLANs for multiple reasons, including the following:

 to improve performance

 to tighten security

 to ease administration

Improve performance

VLANs can improve performance for devices on them by reducing the amount of traffic a given endpoint sees
and processes. VLANs break up broadcast domains, reducing the number of other hosts from which any given
device sees broadcasts. For example, if all desktop voice over IP phones are on one VLAN and all workstations
are on another, phones won't see any workstation-generated broadcast traffic and vice versa. Each can devote
its network resources to relevant traffic only.

Engineers can also define different traffic-handling rules per VLAN. For example, they can set rules to prioritize
video traffic on a VLAN that connects conference room equipment to help guarantee the performance of
telepresence devices.
Tighten security

VLAN partitioning can also improve security by enabling a higher degree of control over which devices have
access to each other. For example, network teams may restrict management access to network gear or IoT
devices to specific VLANs.

Ease administration

Using VLANs to group endpoints also enables administrators to group devices for purely administrative,
nontechnical purposes. For example, they may put all accounting computers on one VLAN, all human resources
computers on another and so on.

Learn how a VLAN uses segmentation to isolate network traffic for specific use cases.

Types of VLANs

VLANs can be port-based (sometimes called static) or use-based (sometimes called dynamic).

Port-based or static VLAN

Network engineers create port-based VLANs by assigning ports on a network switch to a VLAN. Those ports only
communicate on the assigned VLANs, and each port is on one VLAN only. While port-based VLANs are
sometimes called static VLANs, it's important to remember they aren't truly static because the VLANs assigned to
the port can be changed on the fly, manually or by network automation.

Use-based or dynamic VLAN

Network engineers create use-based VLANs by assigning traffic to a VLAN dynamically, based on the traffic type
or the device creating the traffic. A port might be assigned to a VLAN based on the identity of the device attached
-- as indicated by a security certificate -- or on the network protocols in use. One port can be associated with
multiple dynamic VLANs. Changing which device is connected through a port, or even how the existing device is
used, might change the VLAN assigned to the port.

VLAN use cases

Some VLANs have simple and practical goals, such as segregating printer access. Administrators can set them
up to enable computers on any given VLAN to see the printers also on that VLAN but not those outside it.

Other VLANs serve more complex purposes. For example, computers in a retail banking department cannot
interact directly with computers in the trading departments. Setting up separate VLANs for the departments is
one way network engineers can enforce such segregation.
How VLANs work

A VLAN is identified on network switches by a VLAN ID. Each port on a switch can have one or more VLAN IDs
assigned to it and will land in a default VLAN if no other one is assigned. Each VLAN provides data-link access to
all hosts connected to switch ports configured with its VLAN ID.

A VLAN ID is translated to a VLAN tag, a 12-bit field in the header data of every Ethernet frame sent to that
VLAN. Because a tag is 12 bits long, up to 4,096 VLANs can be defined per switching domain. VLAN tagging is
defined by IEEE in the 802.1Q standard.

When an Ethernet frame is received from an attached host, it has no VLAN tag. The switch adds the VLAN tag.
In a static VLAN, the switch inserts the tag associated with the ingress port's VLAN ID. In a dynamic VLAN, it
inserts the tag associated with that device's ID or the type of traffic it generates.

Switches forward tagged frames toward their destination media access control address, forwarding only to ports
with which the VLAN is associated. Broadcast, unknown unicast and multicast traffic is forwarded to all ports in
the VLAN. Trunk links between switches know which VLANs span the switches, accepting and passing along all
traffic for any VLAN in use on both sides of the trunk. When a frame reaches its destination switch port, the VLAN
tag is removed before the frame is transmitted to the destination device.

Spanning Tree Protocol (STP) is used to create loop-free topology among the switches in each Layer 2 domain.
A per-VLAN STP instance can be used, which enables different Layer 2 topologies. A multi-instance STP can
also be used to reduce STP overhead if the topology is the same among multiple VLANs.

Disadvantages of VLANs

VLANs help control broadcast traffic, tighten security, ease administration and improve performance. But they
have some disadvantages, too.

Limit of 4,096 VLANs per switching domain

One disadvantage of VLANs in a modern data center or cloud infrastructure is the limit of 4,096 VLANs per
switching domain. A single network segment may host tens of thousands of systems and hundreds or thousands
of distinct tenant organizations, each of which may need tens or hundreds of VLANs.

To address this limitation, other protocols have been created, including Virtual Extensible LAN, Network
Virtualization using Generic Routing Encapsulation and Generic Network Virtualization Encapsulation. They
support larger tags, which enables more VLANs to be defined, and the ability to tunnel Layer 2 frames within
Layer 3 packets.

Managing spanning tree structures

Another disadvantage is that, when VLANs are numerous and large, the network can have a difficult time
managing the spanning tree structures needed to prevent traffic loops. The easiest fix for this is to remove
redundant links from the network. Unfortunately, that then leaves the network vulnerable to a single point of
failure anywhere a redundant link was removed.

VLAN identification with wall jacks and APs

Another challenge with VLANs is it can be difficult to ensure easy identification of the VLANs to which a given
wall jack or AP has access. This can make it more difficult for end users and field service support staff when they
attempt to connect something new to the network.

Another disadvantage that isn't unique to VLANs but still affects them is poor planning, which makes the overall
VLAN plan overly complicated, brittle and difficult to maintain as needs and underlying network equipment
change.
VLANs vs. LAN
Network VLAN (Virtual Local Area
LAN (Local Area Network)
Parameters Network)

Latency High Low

Devices Hubs, switches, and routers Switches and bridges

Network
Not allowed Allowed
Segmentation

Broadcast Traffic Prone to broadcast congestion Reduces broadcast traffic

Management Simple (Single network) Advanced (Multiple network)

Provides isolation between multiple

Isolation Lacks inherent isolation
VLANs

Security Basic (Relying on external Offers granular security control

Configuration measures) through policies

Confined to physical
Flexibility Circumvents the physical limitations
infrastructure

Requires extensive
Scalability No infrastructure changes needed
infrastructure changes

Resource Enhances resource and network

Inefficient
Allocation efficiency

Failure Domain Single Multiple

Tagged Ports and Untagged Ports

A Trunk port on a switch can receive traffic for more than one VLAN. For example, in the
illustration above, the link between the two switches is carrying traffic for both VLAN 10
and VLAN 30.

But in both cases, traffic is leaving one switch as a series of frames, and arriving on the
other switch as a series of frames. Which begs the question, how will the receiving
switch determine which frames belong to VLAN #10, and which frames belong
to VLAN #30?

To account for this, whenever a Switch is sending frames out a Trunk port, it
adds to each frame a tag to indicate to the other end what VLAN that frame
belongs to. This allows the receiving switch to read the VLAN tag in order to determine
what VLAN the incoming traffic should be associated to.

An Access port, by comparison, can only ever carry or receive traffic for a single VLAN.
Therefore, there is no need to add a VLAN Tag to traffic leaving an Access port.
Since VLANs are a Layer 2 technology, the VLAN Tag is inserted within the Layer 2
header. The standard Layer 2 header in modern networks is the Ethernet header, which
has three fields: Destination MAC Address, Source MAC Address, and Type.

When an Ethernet frame is exiting a Trunk port, the switch will insert a VLAN Tag
between the Source MAC address and the Type fields.

This allows the receiving switch to associate the frame with the appropriate VLAN.

To summarize, the final topology with traffic traveling between Host C and Host D
through Access ports and Trunk ports will look like this:

The physical topology above will work exactly like the logical topology below. The hosts
will not know whether they are going through two physical switches (or three or four), or
what VLANs they are in. They operate exactly as they would in any situation which
involves moving packets through a network.
Access Ports and End-Host Devices

Earlier we mentioned Access ports typically face end-host devices like workstations
or printers or servers.

Part of the reason for this is that switches do not add a VLAN tag when sending traffic out
an Access Port.

This allows a host to operate without any knowledge of the VLAN they are connected to.

In a way, the hosts are, intentionally, completely blind to the existence or use of VLANs.
Hosts simply senddata on a network without any knowledge of VLANs, or the switches
they might be connected to.

There was a point in the early days of Networking where certain end-devices would react
negatively if they received a frame with a VLAN tag. For such systems, which
were strictly expecting only the typical fields in an Ethernet header, the frames which
included a VLAN tag might appear as a malformed Ethernet header.

However, this was rare, as the construction of the VLAN tag was intentionally designed to
avoid being interpreted as a malformed frame (this will make more sense in the next
section).

Either way, the general precedent is traffic to end-hosts should not include any
VLAN tags, Hosts can and should remain blissfully ignorant of what VLANs they are in,
or even whether VLANs are being utilized at all.

A possible exception would be if a single Physical Host is hosting multiple

Virtual Machines (VMs) — like a Hypervisor. In some cases, each of those VMs need to
exist in separate VLANs. Therefore, the Physical Host must be connected to a Trunk port,
and must send and received VLAN tags in order to confine the virtual machine traffic to a
specific VLAN.

Terminology

Finally, a quick note on terminology. The terms Access port and Trunk port are usually
associated with the Cisco world. But VLANs are an open standard, therefore other
vendors are able to implement VLANs as well.

What Cisco calls a Trunk port (i.e., a switch port that carries traffic for more than one
VLAN), other vendors refer to as a Tagged port – referring to the addition of a VLAN tag
to all traffic leaving such a port.

What Cisco calls an Access port (i.e., a switch port that carries traffic for only one VLAN),
other vendors refer to as an Untagged port – referring to the traffic leaving the switch
port without a VLAN tag.
These terms are not exhaustive, there are some vendors that may yet use other
terminology, other vendors may even mix and match these terms. Regardless of the
terminology used, all the concepts discussed above still apply.

802.1Q VLAN Tag

VLAN tags requires adding and removing bits to Ethernet frames. The specific sequence
of bits to add is governed by an open standard, which allow any vendor to implement
VLANs on their devices.

The exact format of the VLAN Tag is governed by the 802.1Q standard. This is
an open, IEEE standard which is the ubiquitous method of VLAN tagging in use today.

To demonstrate exactly how the VLAN Tag modifies a packet, take a look at the packet
capture below of the same frame before and after it exits a Trunk port.

The portion of the frame highlighted in yellow is the added VLAN tag. Notice it is inserted
between the Source MAC address and Type field of the original Ethernet header.

You can view this capture yourself in Cloudshark, or you can download the capture
file and open it in Wireshark.

No other modification to the frame or its payload is made by the addition or removal of
the VLAN tag. That said, since even the slight modification displayed above is made,
adding and removing the VLAN tag also involves recalculating the CRC — which is a
simple hash algorithm devised to detect transmissions errors on the wire.

There is an older method of VLAN tagging which is a closed, Cisco proprietary method.
This method was called Inter-Switch Link, or ISL. ISL fully encapsulated the L2 frame in a
new header which included the VLAN identification number.

But these days, even newer Cisco products do not support ISL, as the entire industry has
moved to the superior, open standard of 802.1Q.

Native VLAN

There is one final concept associated with VLANs that often brings confusion. That is the
concept of the Native VLAN.

The Native VLAN is the answer to how a switch processes traffic it receives on
a Trunk port which does not contain a VLAN Tag.

Without the tag, the switch will not know what VLAN the traffic belongs to, therefore the
switch associates the untagged traffic with what is configured as the Native VLAN.
Essentially, the Native VLAN is the VLAN that any received untagged traffic gets
assigned to on a Trunk port.
Additionally, any traffic the switch forwards out a Trunk port that is associated with the
Native VLAN is forwarded without a VLAN Tag.

To see the Native VLAN in action on a live trunk port, check out this video.

The Native VLAN can be configured on any Trunk port. If the Native VLAN is not explicitly
designated on a Trunk port, the default configuration of VLAN #1 is used.

That being said, it is crucially important that both sides of a Trunk port are configured
with the same Native VLAN. This illustration explains why:

Above we have four Hosts (A, B, C, D) all connected to Access Ports in VLAN #22 or VLAN #33,
and Switch X and Switch Y connected to each other with a Trunk port.

Host A is attempting to send a frame to Host C. When it arrives on the switch, Switch X
associates the traffic with VLAN #22. When the frame is forwarded out Switch X’s Trunk
port, no tag is added since the Native VLAN for the Trunk Port on Switch X is also VLAN #22.

But when the frame arrives on Switch Y without a tag, Switch Y has no way of knowing
the traffic should belong to VLAN #22. All it can do is associate the untagged traffic with
what Switch Y’s Trunk port has configured as the Native VLAN, which in this case is VLAN
#33.

Since Switch Y will never allow VLAN #33 traffic to exit a VLAN #22 port, Host C will never get
this traffic. Even worse, due to a Switch’s flooding behavior, Host D might inadvertently
get the traffic that was destined to Host C.

Finally, it should be noted that the Native VLAN is an 802.1Q feature. The antiquated
tagging mechanism of ISL simply dropped traffic receive on a Trunk port that did not
include the ISL tag. Also, remember that the Native VLAN concept only applies to
Trunk ports — traffic leaving and arriving on an Access port is always expected to be
untagged.

II. VLAN configuration

Some commands on switch:

Create VLAN:
vlan 10
name FIT
where 10 is the VLAN number; FIT is the VLAN name

Delete a VLAN:
no vlan 10 name FIT
Show VLANs information:
show vlan

Assign Ports for VLAN (access mode):

interface fa0/2
switchport access vlan 10
where 10 is the VLAN number, fa0/2 is the port in the switch connecting to the computer which
belongs to VLAN 10.

Set Trunk mode:

interface fa0/1
switchport mode trunk
where fa0/1 is the switch port which connects to the router.

Some commands on router:

Configure IP (in Router):

interface fa0/1.10
encapsulation dot1Q 10
ip address 192.168.1.4 255.255.255.252
where 10 is the number of VLAN; dot1Q is the encapsulation type and 10 is the VLAN number.
III. Practice
Make 3 networks (2 VLANs (one having 14 hosts (network B) and one having 6 hosts (network C))
and 1 LAN (having 20 hosts (network A)) connect to together by 2 routers. Given IP block is
130.10.5.128/25. Please subnet for 3 networks.

Solution:
Given block: 130.10.5.128/25 includes 27= 128 Ips, from 130.10.5.128/25 - 130.10.5.255/25
Network A: 130.10.5.128/27 (from 130.10.5.128/27 - 130.10.5.159/27)
Network B: 130.10.5.160/28 (from 130.10.5.160/28 - 130.10.5.175/28)
Network C: 130.10.5.176/29 (from 130.10.5.176/29 - 130.10.5.183/29)
Network Router 0 – Router 1: 130.10.5.184/30 (from 130.10.5.184/29 - 130.10.5.187/30)

Network A Network B Network C

Switch 0: no need to do anything.
Switch 1:
Reference
https://www.techtarget.com/searchnetworking/definition/
virtual-LAN
https://www.techtarget.com/searchnetworking/tip/How-to-set-
up-a-VLAN-for-enterprise-networks
https://www.practicalnetworking.net/stand-alone/vlans/
https://maychusaigon.vn/vlan-la-gi/
https://www.dienmayxanh.com/kinh-nghiem-hay/vlan-la-gi-co-
can-thiet-su-dung-khong-lam-the-nao-1137273