Home > Virtual Local Area Network VLAN Tutorial

Virtual Local Area Network VLAN Tutorial

July 20th, 2011 Go to comments

VLAN Introduction

“A virtual LAN (VLAN) is a group of networking devices in the same broadcast domain”

It is the concept of VLAN that most of the books are using but it doesn’t help us understand the benefits of VLANs. If you ask “What is a LAN?” you will receive the same answer: it is also a group of networking devices in the same broadcast domain!

To make it clearer, I expanded the above statement into a bit longer statement :)

“A virtual LAN (VLAN) is a group of networking devices in the same broadcast domain, logically”

It means that the devices in the same VLAN may be widely separated in the network, both by geography and location. VLANs logically segment the network into different broadcast domains so that packets are only switched between ports that are designated for the same VLAN.

Let’s take an example to understand the benefits of VLAN. Suppose you are working in a big company with many departments, some of them are SALES and TECHNICAL departments. You are tasked to separate these departments so that each of them can only access specific resources in the company.

This task is really easy, you think. To complete this task, you just need to use different networks for these departments and use access-list to allow/deny that network to a specific resource. For example, you assign network 192.168.1.0/24 for SALES and 192.168.2.0/24 for TECH. At the “Company router” you apply an access-list to filter traffic from these networks. Below is the topology of your network without VLANs:

VLAN_need.jpg

Everything looks good and you implement this design to your company. But after one month you receive many complaints from both your colleagues and leaders.

+ First, your department leaders need to access to additional private resources which employees are not allowed.
+ Second, the company has just recruited some new SALES employees but now the SALES room is full so they have to sit at the 1st floor (in the TECH area). They want to access to SALES resources but they can only access to the TECH resources because they are connecting to TECH switch.

To solve the first problem maybe you will create a new and more powerful network for your leaders. But notice that each leader sits at different floor so you will need to link all of them to a switch -> what a mess!

The second problem is more difficult than the first one. Maybe you have to create another network at the TECH area and apply the same policy as the SALES department for these hosts -> another mess in management!

Maybe you will be glad to know VLAN can solve all these problems. VLAN helps you group users together according to their function rather than their physical location. This means you can use the same network for hosts in different floors (of course they can communicate with each other).

VLAN_problem_solved.jpg

In this design:

+ you can logically create a new network with additional permissions for your leaders (LEADER network) by adding another VLAN.
+ employees can sit anywhere to access the resources in their departments, provided that you allow them to do so.
+ computers in the same department can communicate with each other although they are at different floors.

If these departments expand in the future you can still use the same network in any other floor. For example, SALES needs to have 40 more employees -> you can use 4th floor for this expansion without changing the current network.

But wait… maybe you recognize something strange in the above design? How can 2 computers connecting to 2 different switches communicate? If one computer sends a broadcast packet will it be flooded to other departments as switch doesn’t break up broadcast domains?

The answer is “Yes, they can!” and it is the beauty of VLAN. Hosts in the same VLAN can communicate normally even they are connecting to 2 or more different switches. This makes the management much more simple.

Although layer 2 switches can only break up collision domains but VLANs can be used to break up broadcast domains. So if a computer in SALES broadcasts, only computers in SALES will receive that frame.

So we don’t need a router, right? The answer is “we still need a router” to enable different VLANs to communicate with each other. Without a router, the computers within each VLAN can communicate with each other but not with any other computers in another VLAN. For example, we need a router to transfer file from LEADER to TECH. This is called “interVLAN routing”.

When using VLANs in networks that have multiple interconnected switches, you need to use VLAN trunking between the switches. With VLAN trunking, the switches tag each frame sent between switches so that the receiving switch knows which VLAN the frame belongs to. This tag is known as a VLAN ID. A VLAN ID is a number which is used to identify a VLAN.

VLAN_ID.jpg

Notice that the tag is only added and removed by the switches when frames are sent out on the trunk links. Hosts don’t know about this tag because it is added on the first switch and removed on the last switch. The picture below describes the process of a frame sent from PC A to PC B.

VLAN_tag_added_removed.jpg

Note: Trunk link does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers.

To allow interVLAN routing you need to configure trunking on the link between router and switch.

Therefore in our example we need to configure 3 links as “trunk”.

VLAN_problem_trunking.jpg

Cisco switches support two different trunking protocols, Inter-Switch Link (ISL) and IEEE 802.1q. Cisco created ISL before the IEEE standardized trunking protocol. Because ISL is Cisco proprietary, it can be used only between two Cisco switches -> 802.1q is usually used in practical.

In 802.1q encapsulation, there is a concept called native VLAN that was created for backward compatibility with old devices that don’t support VLANs. Native VLAN works as follows:

+ Frame belonging to the native VLAN is not tagged when sent out on the trunk links
+ Frame received untagged on the trunk link is set to the native VLAN.

VLAN_native_VLAN.jpg

So if an old switch doesn’t support VLAN it can still “understand” that frame and continue sending it (without dropping it).

Every port belongs to at least one VLAN. If a switch receives untagged frames on a trunkport, they are assumed to be part of the native vlan. By default, VLAN 1 is the default and native VLAN but this can be changed on a per port basis by configuration.

Comments (50) Comments
Comment pages
  1. varun
    November 5th, 2011

    thaks all for nice advice.

  2. Arby
    November 16th, 2011

    Can you please send me the latest dump of questions for the CCNA exams?
    I will be taking my certification exam early next year.
    Thank you so much! 9tut is such a great place to learn! – abrahamgoc@yahoo.com

  3. cheng
    January 23rd, 2012

    Thanks, this tutorial of VLAN is easy to learn.
    I don’t really understand about ‘trunking’ word before read this article

  4. iqbal
    February 8th, 2012

    thanks, awesome tutorial.. i really don;t get how yo do vlan at first.. thanks again :)

  5. vera
    February 18th, 2012

    Thanks.. I think I understand better for my exam :D

  6. Anonymous
    February 23rd, 2012

    @xallax
    Hello. I’ve passed ICND1. Thank you and 9tut.
    I have a question: I think you know that on real routers we can assign two or more IP addresses on one physical interface (e.g ip addr 192.168.1.1/24, ip addr 192.168.10.1/24 sec)
    For what purposes it is used?
    If we can assign more than one ip address on one router’s interface, why we need VLAN’s in this example task?
    We attached new sales employees in TECH department. We assign to their computers IP adresses and default gateway from SALES scope. Because our router has two IP adresses on one interface, it can route traffic from both departments (first IP for TECH and second IP for SALES)
    Where are difficults?
    Yes, I understand that VLAN’s decrease broadcast size and increase its amount, it reduce worthless chanel’s bandwidth using. But I don’t fully understand the meaning VLAN using for security and scalability…If it is not difficult for you, could you explain me two approaches to network creating in this case: without VLAN using and using VLANs.

  7. xallax
    February 23rd, 2012

    @anonymous
    using secondary addresses is like using subinterfaces. all routers that are directly connected must have IP addresses on the same secondary subnets too. kinda like subinterfaces…

    why do VLANs increase security? because you can assign, for example, computers from IT to a subnet of /29, computers from Finance to a subnet of /29, computers from the offices to a subnet of /25.

    this way computers from one department dont get to communicate with computers from another department without sending traffic to the default gateway (which is a L3 device) first. what’s the beauty of L3 devices? they enforce security via access lists.
    and that’s how VLANs provide increased security :)

    actually… the thing about VLANs is not about the router, is about the switch. at the LAN level you know that 1 or some routers do the routing, but the switches are the work horses that send frames towards their destination.
    VLANs are good to categorize the devices that connect at the access layer, VTP is good to propagate/maintain that nice structure you’ve created

  8. Killua05
    March 8th, 2012

    thanks 9tut! very well discussed!

  9. harshaxsoad
    March 22nd, 2012

    this is what called tutorials

  10. Lyes
    April 10th, 2012

    Very useful thank you

  11. wilman
    April 13th, 2012

    nice tutorial,

  12. Rod
    May 7th, 2012

    useful indeed!!

  13. jesullrov
    May 20th, 2012

    where can i find complete tutorial notes links¿?
    I can only seeexam questions linked!

    Thanks amazingggg site

  14. 9tut
    June 12th, 2012

    @jesullrov: You can find all my tutorials here: https://www.9tut.com/category/ccna-knowledge

  15. mthom
    June 28th, 2012

    How would stacked switches play into this? Say I had several switches in a stack all linked together. This topology continues in several buildings that all need to be linked to a central site through a core switch. How should I go about assigning several different vlans for several different broadcast domains and still have them communcate with who needs it. Would it be better to make the master switch in each stack a layer 3 switch to route between vlan’s in each switch stack or send all traffic back to core switch to be routed. Could stacking cables also be used for trunking vlans together?

  16. Anonymous
    July 8th, 2012

    @9tut

    1st_Floor_Switch(config)#interface f0/0
    1st_Floor_Switch(config-if)#switchport access vlan 2
    1st_Floor_Switch(config-if)#interface f0/1
    1st_Floor_Switch(config-if)#switchport access vlan 3

    is there fa0/0 in a switch?

  17. A. Ismail
    July 20th, 2012

    9tut , thank you very much
    you’ve done a great work
    ^_^

  18. Sandeep Kumar Giri
    August 12th, 2012

    It’s a great website to networkers

  19. Anonymous
    August 23rd, 2012

    nice explanation…………..

  20. Sasank Choudhury
    August 23rd, 2012

    awesome explanation………………..

  21. AliChowdhury
    August 25th, 2012

    Very nice tutorials. Keep it up, please…….

  22. Rambilas
    September 1st, 2012

    Yes, I agree, it is really good explanation….

  23. Anonymous
    September 18th, 2012

    simple to understand…..

  24. Tiger
    October 1st, 2012

    nice explanation

  25. `Dheeraj
    October 4th, 2012

    Nicely composed ,Indeed.

  26. tshons
    November 14th, 2012

    send me latest dumps on tshons@gmx.com

  27. Anonymous
    November 20th, 2012

    send me latest dumps on andymunoz@hotmail.com

    Thx

  28. Sandeep VB
    November 21st, 2012

    Thanks for the explanation

  29. Tuhin C
    November 27th, 2012

    I will be taking CCNA certification exam early next year.Can you please send me the latest dump of questions for that.

    Please send the dump to my mail id:::: tmi12345@yahoo.com

    Thanks

  30. anil rana
    December 11th, 2012

    your are missing which interface select the vlan trunk in upper configuration

  31. Ramu
    December 12th, 2012

    hanks.. I think I understand better for my exam :D

  32. Muhammad Ghayyur 17/12/2012
    December 17th, 2012

    Dear
    every body can send me

    CCNA dumps who latest and give me one chance thanks

  33. Muhammad Ghayyur 17/12/2012
    December 17th, 2012

    Dear
    every body can send me
    CCNA dumps who latest and give me one chance thanks

    Ghayyur218@hotmail.com

  34. Zeek
    December 29th, 2012

    I just wanted to compliment you on your tutorial. It is one of the better ones I have come across. Your illustrations and examples are very helpful and easy to understand. I am not going for the CCNA or anything else. I was just interested in what a VLAN was and why you would want to use one; and now I know:))

    Thanks!!

  35. Parmar
    January 10th, 2013

    I have not read yet all. but i think i can gain more from this site.

  36. UMAR RASHEED
    January 31st, 2013

    ITS REALLY INFORMATIVE SITE!
    CAN YOU SEND ME THE CONFIG OF VLAN AND INTER-VLAN

    UMARBILAL@UCP.EDU.PK

  37. Elako Hermogenes
    February 11th, 2013

    I like VLAN implementation, thanks of the information on this page.

  38. sharma
    February 22nd, 2013

    There are two machines on a LAN. How can I configure a VLAN between the two? I tried giving the same vlan id to both and used ifconfig to create an interface on both machines

  39. Naveen
    February 27th, 2013

    Nice. Also explain about VTP pruning.

  40. prakash
    March 9th, 2013

    i will read all pages to get my CCNA certification !!!!!!! realy it’s too gooddddd

  41. Mohaned
    March 19th, 2013

    Posted on If they add the Fibre SFP to the gigabit stcwih port group the RB2011 could make an amazing customer house network termination unit in my opinion. Currently any decent stcwih with vlans + troubleshooting features is $500-1000 for even a 12~ port model when quite often all that is needed (for us anyway) is 1 fibre for the line in, 1 port for a Wireless or ADSL backup and then some ports for the customer router

  42. Daniel
    March 21st, 2013

    Hi Ryan,You have a mis-configuration between the two VRRP rorteus. You probably have Fast Advertisement enabled on one but disabled on the other. Assuming that your VRIDs match your VLAN IDs you could issue the following command on both your ERS 8600 switches;ERS-8610:5# config vlan 8 ip vrrp 8 infoSub-Context: clear config dump monitor show test trace wsm asfm samCurrent Context: action : none address : IP ADDRESS OF VRRP INTERFACE adver-int : 1 backup-master : enable critical-ip : 0.0.0.0 critical-ip-enable : disable fast-adv-int : 200 fast-adv-enable : disable delete : N/A vrrp enable : enable holddown-timer : 0 priority : 100The settings should be identical on both ERS 8600 switches. It sounds to me like someone has enabled Fast Advertisement on one of the switches but left it disabled on the other switch. Just go ahead and disable Fast Advertisement (fast-adv-enable) and the error should clear.Good Luck!

  43. Phyllis
    March 21st, 2013

    Hi Michael,th naks for reply the voice vlan is 25 and the port which the ip phone is connected is 5 the dhcp is glabolly define on the server and connected on the l3 switchi have recived the logs on the switch is mentioned below 4826GTS-PWR+(config)#show logging Type Time Idx Src Message – – – I 00:00:39:25 108 Link Down Trap for Port: 5 I 00:00:39:30 109 Link Down Trap for Port: 23 I 00:00:39:32 110 Trap: pethPsePortOnOffNotification I 00:00:39:32 111 PoE Port Detection Status: Port 5 Status: Detecting I 00:00:39:33 112 Link Up Trap for Port: 24 I 00:00:39:36 113 Trap: pethPsePortOnOffNotification I 00:00:39:36 114 PoE Port Detection Status: Port 5 Status: Delivering Power I 00:00:39:40 115 Link Down Trap for Port: 24 I 00:00:39:43 116 Link Up Trap for Port: 23 I 00:00:39:53 117 Link Up Trap for Port: 5 I 00:00:40:18 118 Trap: bsnConfigurationSavedToNvram I 00:00:41:28 119 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:41:29 120 Trap: lldpRemTableChange Inserts = 18 I 00:00:42:04 121 Link Down Trap for Port: 5 I 00:00:42:28 122 Link Up Trap for Port: 5 4826GTS-PWR+(config)# 4826GTS-PWR+(config)#show logging Type Time Idx Src Message – – – I 00:00:39:25 108 Link Down Trap for Port: 5 I 00:00:39:30 109 Link Down Trap for Port: 23 I 00:00:39:32 110 Trap: pethPsePortOnOffNotification I 00:00:39:32 111 PoE Port Detection Status: Port 5 Status: Detecting I 00:00:39:33 112 Link Up Trap for Port: 24 I 00:00:39:36 113 Trap: pethPsePortOnOffNotification I 00:00:39:36 114 PoE Port Detection Status: Port 5 Status: Delivering Power I 00:00:39:40 115 Link Down Trap for Port: 24 I 00:00:39:43 116 Link Up Trap for Port: 23 I 00:00:39:53 117 Link Up Trap for Port: 5 I 00:00:40:18 118 Trap: bsnConfigurationSavedToNvram I 00:00:41:28 119 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:41:29 120 Trap: lldpRemTableChange Inserts = 18 I 00:00:42:04 121 Link Down Trap for Port: 5 I 00:00:42:28 122 Link Up Trap for Port: 5 4826GTS-PWR+(config)#show logging Type Time Idx Src Message – – – I 00:00:39:25 108 Link Down Trap for Port: 5 I 00:00:39:30 109 Link Down Trap for Port: 23 I 00:00:39:32 110 Trap: pethPsePortOnOffNotification I 00:00:39:32 111 PoE Port Detection Status: Port 5 Status: Detecting I 00:00:39:33 112 Link Up Trap for Port: 24 I 00:00:39:36 113 Trap: pethPsePortOnOffNotification I 00:00:39:36 114 PoE Port Detection Status: Port 5 Status: Delivering Power I 00:00:39:40 115 Link Down Trap for Port: 24 I 00:00:39:43 116 Link Up Trap for Port: 23 I 00:00:39:53 117 Link Up Trap for Port: 5 I 00:00:40:18 118 Trap: bsnConfigurationSavedToNvram I 00:00:41:28 119 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:41:29 120 Trap: lldpRemTableChange Inserts = 18 I 00:00:42:04 121 Link Down Trap for Port: 5 I 00:00:42:28 122 Link Up Trap for Port: 5 I 00:00:44:04 123 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:44:04 124 Trap: lldpRemTableChange Inserts = 19 I 00:00:44:43 125 Link Down Trap for Port: 5 I 00:00:45:07 126 Link Up Trap for Port: 5 I 00:00:46:39 127 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:46:39 128 Trap: lldpRemTableChange Inserts = 20 I 00:00:47:15 129 Link Down Trap for Port: 5 I 00:00:47:40 130 Link Up Trap for Port: 5 I 00:00:48:41 131 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:48:44 132 Trap: lldpRemTableChange Inserts = 21 I 00:00:49:08 133 Link Down Trap for Port: 5 I 00:00:49:33 134 Link Up Trap for Port: 5 I 00:00:50:33 135 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:50:34 136 Trap: lldpRemTableChange Inserts = 22 I 00:00:51:02 137 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:51:04 138 Link Down Trap for Port: 5 I 00:00:51:04 139 Trap: lldpRemTableChange Inserts = 23 I 00:00:51:28 140 Link Up Trap for Port: 5 I 00:00:52:59 141 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:52:59 142 Trap: lldpRemTableChange Inserts = 24 I 00:00:53:38 143 Link Down Trap for Port: 5 I 00:00:54:03 144 Link Up Trap for Port: 5 I 00:00:55:04 145 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:55:04 146 Trap: lldpRemTableChange Inserts = 25 I 00:00:55:31 147 Link Down Trap for Port: 5 I 00:00:55:55 148 Link Up Trap for Port: 5 I 00:00:56:57 149 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:56:59 150 Trap: lldpRemTableChange Inserts = 26 I 00:00:57:24 151 Link Down Trap for Port: 5 4826GTS-PWR+(config)# 4826GTS-PWR+(config)# 4826GTS-PWR+(config)# 4826GTS-PWR+(config)# 4826GTS-PWR+(config)# 4826GTS-PWR+(config)# 4826GTS-PWR+(config)#set p 4826GTS-PWR+(config)#set p 4826GTS-PWR+(config)#set p 4826GTS-PWR+(config)#set p 4826GTS-PWR+(config)#set p 4826GTS-PWR+(config)#set pO 4826GTS-PWR+(config)#set pO 4826GTS-PWR+(config)#set pO 4826GTS-PWR+(config)#set pO 4826GTS-PWR+(config)#? Configure commands: adac Modify ADAC settings arp Configure a static ARP entry asset-id Configure the Asset-ID audit Enable audit log save settings auto-pvid Enable Auto-PVID (for all ports). autosave Change autosave settings autotopology Enable the autotopology protocol banner Set custom banner info cli Modify password settings clock Global RTC configuration subcommands default Set a command to its defaults eapol Enable/disable EAPOL protocol. edm Modify EDM settings end Exit from configure mode energy-saver Configure global energy saver settings exit Exit from configure mode http-port Set the TCP port on which web server will listen interface Select an interface to configure ip Global IP configuration subcommands ipmgr Modify IP Manager settings. ipv6 Global IPv6 configuration subcommands 4826GTS-PWR+(config)#SHOPW LOGG 4826GTS-PWR+(config)#SHOW LOGG 4826GTS-PWR+(config)#SHOW LOGGing Type Time Idx Src Message – – – I 00:00:39:25 108 Link Down Trap for Port: 5 I 00:00:39:30 109 Link Down Trap for Port: 23 I 00:00:39:32 110 Trap: pethPsePortOnOffNotification I 00:00:39:32 111 PoE Port Detection Status: Port 5 Status: Detecting I 00:00:39:33 112 Link Up Trap for Port: 24 I 00:00:39:36 113 Trap: pethPsePortOnOffNotification I 00:00:39:36 114 PoE Port Detection Status: Port 5 Status: Delivering Power I 00:00:39:40 115 Link Down Trap for Port: 24 I 00:00:39:43 116 Link Up Trap for Port: 23 I 00:00:39:53 117 Link Up Trap for Port: 5 I 00:00:40:18 118 Trap: bsnConfigurationSavedToNvram I 00:00:41:28 119 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:41:29 120 Trap: lldpRemTableChange Inserts = 18 I 00:00:42:04 121 Link Down Trap for Port: 5 I 00:00:42:28 122 Link Up Trap for Port: 5 I 00:00:44:04 123 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:44:04 124 Trap: lldpRemTableChange Inserts = 19 I 00:00:44:43 125 Link Down Trap for Port: 5 I 00:00:45:07 126 Link Up Trap for Port: 5 I 00:00:46:39 127 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:46:39 128 Trap: lldpRemTableChange Inserts = 20 I 00:00:47:15 129 Link Down Trap for Port: 5 I 00:00:47:40 130 Link Up Trap for Port: 5 I 00:00:48:41 131 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:48:44 132 Trap: lldpRemTableChange Inserts = 21 I 00:00:49:08 133 Link Down Trap for Port: 5 I 00:00:49:33 134 Link Up Trap for Port: 5 I 00:00:50:33 135 Trap: lldpXMedTopologyChangeDetect ed, Subtype = 5 Class = 3 I 00:00:50:34 136 Trap: lldpRemTableChange Inserts =

  44. bikram
    March 22nd, 2013

    I have not read yet all but i will gain all the explanation about VLAN nd easy to undrestand thanks….

  45. m.moradkhani
    April 29th, 2013

    thanks ;)

  46. rajesh ravi
    May 7th, 2013

    cheers man.. that was awesum !!

  47. ray ban wayfarer
    June 1st, 2013

    This is a really good read for me, Must admit that you are one of the best bloggers I ever saw.Thanks for posting this informative article. ray ban wayfarer http://ray-ban-wayfarer16.webnode.fr

  48. Bruno
    June 6th, 2013

    I am using VLan. I have problem accessing the printer on the other side using different IP address. For example. My VLan goes by : 13.8.3.1 while my network goes with c class . I just want to pring on C class from this Vlan. Your help will be well appreciated .

  49. Bruce
    June 15th, 2013

    This have page is highly informative thanks very much 9tut

  50. chintan
    June 16th, 2013

    one of the best artical

Comment pages
Add a Comment