VLANs and 802.1Q VLAN Tagging explained

VLANs and 802.1Q VLAN Tagging explained

VLANs are a feature of almost all managed network switches. A managed switch will allow you to assign ports to VLAN groups. Devices in one VLAN will not be able to directly communicate with devices in another VLAN. In simple terms, creating VLANs is a bit like splitting a switch into multiple smaller switches.

Why would I buy an expensive managed switch when I could just buy multiple cheap unmanaged switches, I hear you ask. Well, a port can be assigned to multiple VLANs. If you wanted to, for example, break 192.168.0.1/24 (254 usable IP addresses) into 2 groups of 192.168.0.1-192.168.0.100 and 192.168.0.101-192.168.0.254 you could create 2 VLANs, one for devices in each IP range. You could then have an administrative terminal connected to a switch port which is in both VLANs. This administrative terminal can then access devices in both IP ranges.

So what is 802.1Q VLAN tagging? Well, it allows a single port to access multiple VLANs, even if devices in each VLAN are in a different IP subnet. For example, if your network had two departments one which used 192.168.0.1/24 and the other which used 10.1.1.1/24, you could create two VLANs as described above. You could then create a 802.1Q VLAN tagged port on the switch and connect a device such as an administrative computer or a router into it. You would then configure the administrative computer or router to assign it 2 IP addresses (for example 192.168.0.100 and 10.1.1.100) and associate each IP with the correct VLAN. Every packet of data that is sent from the router to the switch would tell the switch which VLAN it is for (and visa versa).

Here is an example usecase for 802.1Q VLANs:

A switch has 3 VLANs on it…

  1. Ports 1-4 :: Internet facing devices such as the modem and servers
  2. Ports 5-14 :: Devices in the finance department
  3. Ports 14-20 :: Devices in the HR department

In ports 1-4 (VLAN1) we have connected the modem and a Linux server. These have public IP addresses in the 13.14.15.16/28 range. In ports 5-14 we have connected PCs in the finance department which have private IP addresses in the 192.168.1.0/24 range. In ports 14-20 we have devices in the HR department which have private IP addresses in the 10.0.1.0/24 range.

Port 21 is 802.1Q VLAN tagged with access to all 3 VLANs. Into this port, we have connected a router. This router has an IP address for each VLAN (192.168.1.1, 10.0.1.1 and 13.14.15.17). The router routes packets between the three VLANs to give private IPs access to the Internet, using NAT, as well as routing packets between the two private subnets to give the HR department access to files in the finance department and visa versa.