A VLAN (virtual LAN) abstracts the idea of the local area network (LAN) by providing data link connectivity for a subnet. One or more network switches may support multiple, independent VLANs, creating Layer 2 (data link) implementations of subnets. A VLAN is associated with a broadcast domain. It is usually composed of one or more Ethernet switches.
VLANs make it easy for network administrators to partition a single switched network to match the functional and security requirements of their systems without having to run new cables or make major changes in their current network infrastructure. Ports (interfaces) on switches can be assigned to one or more VLANs, enabling systems to be divided into logical groups -- based on which department they are associated with -- and establish rules about how systems in the separate groups are allowed to communicate with each other. These groups can range from the simple and practical (computers in one VLAN can see the printer on that VLAN, but computers outside that VLAN cannot), to the complex and legal (for example, computers in the retail banking departments cannot interact with computers in the trading departments).
Each VLAN provides data link access to all hosts connected to switch ports configured with the same VLAN ID. The VLAN tag is a 12-bit field in the Ethernet header that provides support for up to 4,096 VLANs per switching domain. VLAN tagging is standardized in IEEE (Institute of Electrical and Electronics Engineers) 802.1Q and is often called Dot1Q.
When an untagged frame is received from an attached host, the VLAN ID tag configured on that interface is added to the data link frame header, using the 802.1Q format. The 802.1Q frame is then forwarded toward the destination. Each switch uses the tag to keep each VLAN's traffic separate from other VLANs, forwarding it only where the VLAN is configured. Trunk links (described below) between switches handle multiple VLANs, using the tag to keep them segregated. When the frame reaches the destination switch port, the VLAN tag is removed before the frame is to be transmitted to the destination device.
Multiple VLANs can be configured on a single port using a trunk configuration in which each frame sent via the port is tagged with the VLAN ID, as described above. The neighboring device's interface, which may be on another switch or on a host that supports 802.1Q tagging, will need to support trunk mode configuration in order to transmit and receive tagged frames. Any untagged Ethernet frames are assigned to a default VLAN, which can be designated in the switch configuration.
When a VLAN-enabled switch receives an untagged Ethernet frame from an attached host, it adds the VLAN tag assigned to the ingress interface. The frame is forwarded to the port of the host with the destination MAC address (media access control address). Broadcast, unknown unicast and multicast (BUM traffic) is forwarded to all ports in the VLAN. When a previously unknown host replies to an unknown unicast frame, the switches learn the location of this host and do not flood subsequent frames addressed to that host.
The switch-forwarding tables are kept up to date by two mechanisms. First, old forwarding entries are removed from the forwarding tables on a periodic basis, often a configurable timer. Second, any topology change causes the forwarding table refresh timer to be reduced, triggering a refresh.
The Spanning Tree Protocol (STP) is used to create loop-free topology among the switches in each Layer 2 domain. A per-VLAN STP instance can be used, which enables different Layer 2 topologies or a multi-instance STP (MISTP) can be used to reduce STP overhead if the topology is the same among multiple VLANs. STP blocks forwarding on links that might produce forwarding loops, creating a spanning tree from a selected root switch. This blocking means that some links will not be used for forwarding until a failure in another part of the network causes STP to make the link part of an active forwarding path.
The figure above shows a switch domain with four switches with two VLANs. The switches are connected in a ring topology. STP causes one port to go into blocking state so that a tree topology is formed (i.e., no forwarding loops). The port on switch D to switch C is blocking, as indicated by the red bar across the link. The links between the switches and to the router are trunking VLAN 10 (orange) and VLAN 20 (green). The hosts connected to VLAN 10 can communicate with server O. The hosts connected to VLAN 20 can communicate with server G. The router has an IPv4 subnet configured on each VLAN to provide connectivity for any communications between the two VLANs.
Disadvantages of VLAN
The limitation of 4,096 VLANs per switching domain creates problems for large hosting providers, which often need to allocate tens or hundreds of VLANs for each customer. To address this limitation, other protocols, like VXLAN (Virtual Extensible LAN), NVGRE (Network Virtualization using Generic Routing Encapsulation) and Geneve, support larger tags and the ability to tunnel Layer 2 frames within Layer 3 (network) packets.
Finally, data communications between VLANs is performed by routers. Modern switches often incorporate routing functionality and are called Layer 3 switches.