Basic Concepts of VLANs
VLAN Frame Format
A conventional Ethernet frame is encapsulated with the Length/Type field for an upper-layer protocol following the Destination address and Source address fields, as shown in Figure 5-2.
IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It adds a 4-byte field between the Source address and the Length/Type fields of the original frame, as shown in Figure 5-3.
Table 5-1 describes the fields contained in a 802.1Q tag.
Field |
Length |
Name |
Description |
|---|---|---|---|
TPID |
2 bytes |
Tag Protocol Identifier (TPID), indicating the frame type. |
The value 0x8100 indicates an 802.1Q-tagged frame. If an 802.1Q-incapable device receives an 802.1Q frame, it will discard the frame. |
PRI |
3 bits |
Priority (PRI), indicating the frame priority. |
The value ranges from 0 to 7. The greater the value, the higher the priority. These values can be used to prioritize different classes of traffic to ensure that frames with high priorities are transmitted first when traffic is heavy. |
CFI |
1 bit |
Canonical Format Indicator (CFI), indicating whether the MAC address is in canonical format. |
If the value is 0, the MAC address is in the canonical format. CFI is used to ensure compatibility between Ethernet networks and Token Ring networks. It is always set to zero for Ethernet switches. |
VID |
12 bits |
VLAN ID (VID), indicating the VLAN to which the frame belongs. |
VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved, and therefore VLAN IDs range from 1 to 4094 (VLANs 4064 to 4094 are default reserved VLANs. You can run the vlan reserved command to configure the reserved VLAN range). |
- Tagged frames: frames with 4-byte 802.1Q tags.
- Untagged frames: frames without 4-byte 802.1Q tags.
Link Types
As shown in Figure 5-4, there are the following types of VLAN links:
Access link: connects a host to a switch. Generally, a host does not know which VLAN it belongs to, and host hardware cannot distinguish frames with VLAN tags. Therefore, hosts send and receive only untagged frames.
Trunk link: connects a switch to another switch or to a router. Data of different VLANs is transmitted along a trunk link. The two ends of a trunk link must be able to distinguish frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk links.
- A host does not need to know the VLAN to which it belongs. It sends only untagged frames.
- After receiving an untagged frame from a host, a switching device determines the VLAN to which the frame belongs. The determination is based on the configured VLAN assignment method such as port information, and then the switching device processes the frame accordingly.
- If the frame needs to be forwarded to another switching device, the frame must be transparently transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow other switching devices to properly forward the frame based on the VLAN information.
- Before sending the frame to the destination host, the switching device connected to the destination host removes the VLAN tag from the frame to ensure that the host receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on access links. In this manner, switching devices on the network can properly process VLAN information and hosts are not concerned about VLAN information.
Port Types
After the 802.1Q defines VLAN frames, ports can be classified into four types:
Access port
As shown in Figure 5-4, an access port on a switch connects to the port on a host. The access port can only connect to an access link. Only the VLAN whose ID is the same as the default VLAN ID is allowed on the access port. Ethernet frames sent from the access port are untagged frames.
Trunk port
As shown in Figure 5-4, a trunk port on a switch connects to another switch. It can only connect to a trunk link. Multiple tagged VLAN frames are allowed on the trunk port.
Hybrid port
As shown in Figure 5-5, a hybrid port on a switch can connect either to a host or to another switch. A hybrid port can connect either to an access link or to a trunk link. The hybrid port allows multiple VLAN frames and removes tags from some VLAN frames on the outbound port.
QinQ port
QinQ ports are enabled with the IEEE 802.1 QinQ protocol. A QinQ port adds a tag to a single-tagged frame and supports a maximum of 4094 x 4094 VLAN tags, which meets the requirement for the VLAN quantity.
Figure 5-6 shows the format of a QinQ frame. The outer tag is often called the public tag and carries the VLAN ID of the public network, whereas the inner tag is often called the private tag and carries the VLAN ID of the private network.
For details on the QinQ protocol, see QinQ.
Default VLAN
The default VLAN ID of an interface is called the port default VLAN ID (PVID). The meaning of the default VLAN varies according to the port type.
For details on different PVIDs and methods of processing Ethernet frames, see Frame processing based on the port type.
VLAN Assignment
VLAN assignment is a basic VLAN configuration. Users in the same VLAN can communicate with each other. Table 5-2 shows the VLAN assignment methods and their usage scenarios.
VLAN Assignment Mode |
Principle |
Advantage |
Disadvantage |
|---|---|---|---|
VLAN assignment based on interface |
In this mode, VLANs are classified based on interface numbers of the switch. The network administrator configures a port VLAN ID (PVID), that is, default VLAN ID, for each port on the switching device. That is, a port belongs to a VLAN by default.
Different types of ports process VLAN frames in different manners. |
It is simple to define VLAN members. |
VLANs must be re-configured when VLAN members change locations. |
VLAN assignment based on MAC addresses |
In this mode, VLANs are classified based on the MAC addresses of network interface cards (NICs). The network administrator configures the mappings between MAC addresses and VLAN IDs. In this case, when a switching device receives an untagged packet, it searches the MAC-VLAN table for a tag to be added to the packet according to the MAC address of the packet. |
When the physical locations of users change, you do not need to re-configure VLANs for the users. This improves the security of users and increases the flexibility of user access. |
|
VLAN assignment based on IP subnets |
When receiving an untagged packet, a switching device adds a VLAN tag to the packet based on the source IP address of the packet. |
Packets sent from specified network segments or IP addresses are transmitted in specific VLANs. This facilitates management. |
This mode is applicable to the networking environment where users are distributed in an orderly manner and multiple users are on the same network segment. |
Protocol-based VLAN assignment |
VLANs are assigned based on protocol (suite) types and encapsulation formats of frames. A network administrator preconfigures mappings between protocol types and VLAN IDs. When receiving an untagged frame, the switch adds the VLAN tag mapping the protocol type of the frame to the frame. The frame is then transmitted in the specified VLAN. |
This mode binds service types to VLANs, facilitating management and maintenance. |
|
The switch supports multiple VLAN assignment modes, the priority is of MAC address-based VLAN assignment, IP subnet-based VLAN assignment, protocol-based VLAN assignment, and interface-based VLAN assignment in a descending order.
Interface-based VLAN assignment has the lowest priority and is the most common VLAN assignment mode.